Alerts

Monitoring only helps if it tells you in time. Lookout’s alerting watches each report (and sweeps the fleet for silent hosts), turns a host’s health into one clear message, and delivers it to Slack, Teams, or any webhook — and stays quiet otherwise.

What triggers an alert

  • A server crosses into warning or critical (e.g. a full disk or high memory).
  • A server goes stale — no report for 5 minutes — which usually means it’s down. A background sweep runs every minute, so a host that stops reporting still pages you.
  • The severity gets worse while a problem is open (warning → critical re-alerts even if you’d acknowledged the warning).

Rules, set from the dashboard

A rule decides when a server’s state is worth alerting on and where to send it — all from the Notifications page, no config files to edit. Each rule has:

  • Server — all hosts, or one exact host.
  • Minimum severity — fire at warning, critical, or only when a host goes silent.
  • Channels — one or more of your configured destinations.
  • Flap window — how many consecutive observations confirm a state before it fires (damps flapping).
  • Repeat every — how often to re-notify an open, unacknowledged incident.

A sensible default rule (fleet-wide, warning and above, remind every 30 minutes) is seeded the first time you configure a channel, so you have working alerting out of the box.

Channels

  • Slack / Teams — an incoming-webhook message to the channel of your choice.
  • Webhook — POST the event anywhere (PagerDuty, Opsgenie, your own handler).
  • Email — delivered through Lookout’s hosted notification service (available on hosted plans). Self-hosters can point Lookout at their own notification service; a built-in SMTP mailer is on the roadmap.

Every outbound URL — webhooks and the notification service — is validated against an SSRF guard before any request is sent (and re-checked on every send), so a webhook can never be pointed at internal services or cloud metadata.

Designed to avoid noise

  • Dedupe — one alert per problem, not one per report.
  • Flap-damping — a value bouncing across a threshold won’t spam you.
  • Escalation — an unresolved incident reminds you on a cadence you set.
  • Acknowledge / snooze — say “I’m on it” to stop the reminders without waiting for recovery; a worsening severity still re-alerts.
  • Recovery — you get a single ✅ recovered notice when it clears.

What the messages look like

🟠 Lookout: web-01 is warning — disk /data is 84% full
🔴 Lookout: db-02 is critical — disk / is 94% full
⚪ Lookout: app-03 is stale
✅ Lookout: web-01 recovered (was warning)