Here is another tutorial on Sysdig and Falco. Both tools are aware of containers, therefore you can specify an LXD container name and it shows output only relating to that container.
Sysdig does troubleshooting and incorporates the functionality of several utilities including lsof, tcpdump, htop.
Falco does monitoring. It comes with some default rules (fire an event if they use sudo or su) and it is possible to add your own.