$ Linux One Liners
Back to lessons

Cybersecurity Triage

Review Recent Docker Events

Something changed on the host and you need a quick timeline of recent Docker activity.

Command

docker events --since 30m --until 0s

What changed

Nothing changes. Docker reads daemon events for a bounded time window.

Danger

safe

When to use it

Use after an unexplained restart, image pull, container stop, or health-status change.

When not to use it

Do not treat it as a permanent audit log; Docker events are not a compliance log.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Timestamped Docker events such as start, die, pull, health_status, or restart.

demo script

Disposable terminal steps

  1. docker events --since 30m --until 0s
  2. docker events --since 30m --until 0s --filter type=container
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ docker events --since 30m --until 0s
2026-06-25T14:14:50 image pull registry.example/api:v1.9.4
2026-06-25T14:15:01 container start web
2026-06-25T14:18:05 container die api exitCode=1
2026-06-25T14:18:06 container restart api
::exit-code::0
$ docker events --since 30m --until 0s --filter type=container
2026-06-25T14:15:01 container start web
2026-06-25T14:18:05 container die api exitCode=1
2026-06-25T14:18:06 container restart api
::exit-code::0

YouTube Short

Docker's recent activity trail.

When something changed and nobody knows what, check recent Docker events for starts, stops, pulls, and restarts.

LinkedIn hook

Docker keeps a recent event trail for starts, stops, pulls, and health changes.

Question: Do you check Docker events during incident timelines?

experiments

A/B tests to run

Metric: save_rate

A: Docker has a recent activity trail.

B: Need an incident timeline? Start with Docker events.