Docker Monitoring

Alert on container exits, OOM kills, restart loops, and failed healthchecks.

Lookout can watch the Docker daemon's event stream and alert on abnormal container behaviour. It is disabled by default and requires Docker to be running on the host.

Enable it

docker:
  enabled: true
  severity: critical
  restart_threshold: 3
  restart_window: 10m

Then restart the service:

sudo systemctl restart lookout

What it alerts on

When enabled, Lookout listens to container events and alerts on:

  • Non-zero exits — a container stopped with a non-zero exit code.
  • OOM kills — a container was killed by the out-of-memory killer.
  • Restart loops — more than restart_threshold restarts within restart_window.
  • Failed healthchecks — a container's Docker healthcheck went unhealthy.

Intentional stops are ignored, and quick restarts are debounced, so a normal restart doesn't immediately look like a failed container.

Permissions

The lookout service user needs read access to the Docker events socket. On most systems, add it to the docker group:

sudo usermod -aG docker lookout
sudo systemctl restart lookout

Membership in the docker group is effectively root access on the host. Weigh that tradeoff before enabling Docker monitoring on security-sensitive systems.

Testing

With the agent running, exercise a container in another terminal:

docker run -d --name probe nginx
docker restart probe
docker kill probe

Watch the events and alerts in the journal:

journalctl -u lookout -f