What do you use for container monitoring?
I’d like to create some baseline on what the container normally does and then compare that regularly when deployed in production. Like what processes are executed, which files are opened, syscalls made …
Auditd does not seem to handle containers well, though I did not test it.
I had some limited success with sysdig. It was a bit flaky, some lxd relevant issues are open since quite a while. It does not run with LXD 4.0 and some commands seem to not work (like spy_users). Are there alternatives ?