24observe
checking… Sign in Start free
Docs · runbook

Incident response runbook.

What to check, in what order, when something is wrong. Skim it once now so you remember where to look at 3am.

Status page reads "incident"

Your dashboard or our public status page shows a monitor as down or degraded.

  1. Open the affected monitor's detail page. Look at "Recent checks" — are all recent checks failing the same way? Same status code? Same error?
  2. If so, the issue is likely on the target service, not on our checking. Verify the URL responds correctly from your own machine.
  3. If verification from your own machine succeeds, your service may be partitioned away from our checking infrastructure. Try reaching it from a different network.
  4. Acknowledge the incident in the dashboard so other team members know it's being looked at. Post an update with what you've found.
  5. Resolve the incident when the service is back. The next check tick will mark the monitor as up automatically.

Alerts aren't reaching me

You have an alert webhook / Slack / Discord configured but no message arrived for a known-down monitor.

  1. Open the monitor → "Send test alert to all configured channels". Each channel reports per-channel pass/fail with the exact error.
  2. If a channel is "not configured", check the monitor's edit page — the URL field may be blank.
  3. If a channel reports "failed: HTTP 401" (or similar), the URL/token is wrong or revoked. Re-copy from the upstream provider (Slack/Discord/etc) and save.
  4. If all channels are configured AND test passes BUT real alerts don't arrive: check your alert threshold (default 1, but if you've raised it, the monitor needs that many consecutive failures before paging).
  5. Check our public status page — if our alert pipeline itself is degraded, you'll see it there.

Heartbeat monitor flapping

Your cron job runs but the heartbeat monitor still goes down intermittently.

  1. Check the timing: if your job takes > (intervalSec + heartbeatGraceSec), every late completion looks like a miss. Increase the grace seconds on the monitor.
  2. Check the receive URL is correct — log it from your job and compare to the dashboard.
  3. Verify the POST returns 204 (use curl -fsS -X POST <url>). 4xx means the token is rotated or invalid.
  4. Heartbeat URL leaked? Open the monitor → "Rotate". The old URL is invalidated immediately.

Self-host: container won't start

You ran docker compose up -d and one or more services are crashlooping.

  1. docker compose logs <service> — read the last error.
  2. The most common cause: missing or weak env vars. JWT_SECRET must be ≥64 chars, ENCRYPTION_KEY must be ≥32 chars. Check your .env.
  3. If the API can't reach Postgres: check Postgres is healthy with docker compose ps. The API depends on it.
  4. If migrations haven't run, the API will crash on first DB call. Run docker compose run --rm --entrypoint "" -w /app/packages/db api node dist/migrate.js.

Self-host: ran out of disk

  1. The check-results table grows over time. Check disk usage with docker system df -v.
  2. The 90-day TTL on the time-series table prunes automatically. If you need it shorter, edit the TTL in the migration and re-apply.
  3. Log volume can also grow. Loki retention can be tightened in infra/loki/config.yaml.

Database has been compromised / token leak

Treat as a security incident. Time matters.

  1. If a personal access token leaked: Settings → API tokens → Revoke. Anything using it stops working immediately.
  2. If your webhook signing secret leaked: Settings → Webhook signing secret → Rotate. Future webhooks signed with the new secret; receivers must update.
  3. If a heartbeat URL leaked: open the monitor → Rotate. Old URL is invalidated.
  4. If your password leaked: Settings → Change password (proves you have the current one).
  5. If the entire DB is suspected compromised: rotate ENCRYPTION_KEY (re-encrypts headers on next monitor PATCH), rotate JWT_SECRET (invalidates all sessions), rotate every PAT.
  6. Email [email protected] if you suspect the issue is in our software.

Where to ask