In the world of Docker container monitoring, we often pay a heavy “Observability Tax.” We deploy complex stacks—Prometheus, Grafana, Node Exporter, cAdvisor—just to check if a container is OOM (Out of Memory). For large Kubernetes clusters, that complexity is justified. For a fleet of Docker servers, home labs, or edge devices, it’s overkill.
Enter Beszel. It is a lightweight monitoring hub that fundamentally changes the ROI of observability. It gives you historical CPU, RAM, and Disk I/O data, plus specific Docker stats for every running container, all while consuming less than 10MB of RAM.
This guide is for the expert SysAdmin or DevOps engineer who wants robust metrics without the bloat. We will deploy the Beszel Hub, configure Agents with hardened security settings, and set up alerting.
Table of Contents
Why Beszel for Docker Environments?
Unlike push-based models that require heavy scrappers, or agentless models that lack granularity, Beszel uses a Hub-and-Agent architecture designed for efficiency.
- Low Overhead: The agent is a single binary (packaged in a container) that typically uses negligible CPU and <15MB RAM.
- Docker Socket Integration: By mounting the Docker socket, the agent automatically discovers running containers and pulls stats (CPU/MEM %) directly from the daemon.
- Automatic Alerts: No complex PromQL queries. You get out-of-the-box alerting for disk pressure, memory spikes, and offline status.
Pro-Tip: Beszel is distinct from “Uptime Monitors” (like Uptime Kuma) because it tracks resource usage trends inside the container, not just HTTP 200 OK statuses.
Step 1: Deploying the Beszel Hub (Control Plane)
The Hub is the central dashboard. It ingests metrics from all your agents. We will use Docker Compose to define it.
Hub Configuration
services:
beszel:
image: 'henrygd/beszel:latest'
container_name: 'beszel'
restart: unless-stopped
ports:
- '8090:8090'
volumes:
- ./beszel_data:/beszel_data
Deployment:
Run docker compose up -d. Navigate to http://your-server-ip:8090 and create your admin account.
Step 2: Deploying the Agent (Data Plane)
This is where the magic happens. The agent sits on your Docker hosts, collects metrics, and pushes them to the Hub.
Prerequisite: In the Hub UI, click “Add System”. Enter the IP of the node you want to monitor. The Hub will generate a Public Key. You need this key for the agent configuration.
The Hardened Agent Compose File
We use network_mode: host to allow the agent to accurately report network interface statistics for the host machine. We also mount the Docker socket in read-only mode to adhere to the Principle of Least Privilege.
services:
beszel-agent:
image: 'henrygd/beszel-agent:latest'
container_name: 'beszel-agent'
restart: unless-stopped
network_mode: host
volumes:
# Critical: Mount socket RO (Read-Only) for security
- /var/run/docker.sock:/var/run/docker.sock:ro
# Optional: Mount extra partitions if you want to monitor specific disks
# - /mnt/storage:/extra-filesystems/sdb1:ro
environment:
- PORT=45876
- KEY=YOUR_PUBLIC_KEY_FROM_HUB
# - FILESYSTEM=/dev/sda1 # Optional: Override default root disk monitoringTechnical Breakdown
/var/run/docker.sock:ro: This is the critical line for Docker Container Monitoring. It allows the Beszel agent to query the Docker Daemon API to fetch real-time stats (CPU shares, memory usage) for other containers running on the host. The:roflag ensures the agent cannot modify or stop your containers.network_mode: host: Without this, the agent would only report network traffic for its own container, which is useless for host monitoring.
Step 3: Advanced Alerting & Notification
Beszel simplifies alerting. Instead of writing alert rules in YAML files, you configure them in the GUI.
Go to Settings > Notifications. You can configure:
- Webhooks: Standard JSON payloads for integration with custom dashboards or n8n workflows.
- Discord/Slack: Paste your channel webhook URL.
- Email (SMTP): For traditional alerts.
Expert Strategy: Configure a “System Offline” alert with a 2-minute threshold. Since Beszel agents push data, the Hub immediately knows when a heartbeat is missed, providing faster “Server Down” alerts than external ping checks that might be blocked by firewalls.
Comparison: Beszel vs. Prometheus Stack
For experts deciding between the two, here is the resource reality:
| Feature | Beszel | Prometheus + Grafana + Exporters |
|---|---|---|
| RAM Usage (Agent) | ~10-15 MB | 100MB+ (Node Exporter + cAdvisor) |
| Setup Time | < 5 Minutes | Hours (Configuring targets, dashboards) |
| Data Retention | SQLite (Auto-pruning) | TSDB (Requires management for long-term) |
| Ideal Use Case | VPS Fleets, Home Labs, Docker Hosts | Kubernetes Clusters, Microservices Tracing |
Frequently Asked Questions (FAQ)
Is it safe to expose the Docker socket?
Mounting docker.sock always carries risk. However, by mounting it as read-only (:ro), you mitigate the risk of the agent (or an attacker inside the agent) modifying your container states. The agent only reads metrics; it does not issue commands.
Can I monitor remote servers behind a NAT/Firewall?
Yes. Because the Agent connects to the Hub (or the Hub can connect to the agent, but the standard Docker setup usually relies on the Agent knowing the Hub’s location if using the binary, but in the Docker agent setup, the Hub scrapes the agent).
Correction for Docker Agent: The Hub actually polls the agent. Therefore, if your Agent is behind a NAT, you have two options:
1. Use a VPN (like Tailscale) to mesh the networks.
2. Use a reverse proxy (like Caddy or Nginx) on the Agent side to expose the port securely with SSL.
Does Beszel support GPU monitoring?
As of the latest versions, GPU monitoring (NVIDIA/AMD) is supported but may require passing specific hardware devices to the container or running the binary directly on the host for full driver access.
Conclusion
For Docker container monitoring, Beszel represents a shift towards “Just Enough Administration.” It removes the friction of maintaining the monitoring stack itself, allowing you to focus on the services you are actually hosting.
Your Next Step: Spin up the Beszel Hub on a low-priority VPS today. Add your most critical Docker host as a system using the :ro socket mount technique above. You will have full visibility into your container resource usage in under 10 minutes. Thank you for reading the DevopsRoles page!
