Service Account Requirements

When Seq is deployed on Windows, it is best practice to run the Seq Windows Service using a service account with non-administrative permissions.

When the account is created, it will not be able to log in as a service by default. Before configuring Seq, grant the service Log on as a Service rights (instructions).

The Seq service needs to be removed and re-added with the username and password of the service account supplied; this will also normally configure other required permissions for the account:

seq service stop
seq service uninstall
seq service install -u <DOMAIN\user> -p <password>
seq service start

The username must be specified as DOMAIN\user or MACHINE\user.

🚧

Don't forget to supply the --storage argument to seq service install if you want Seq data stored in a non-default location.

In some cases, if the service user is a domain account, then it must be started manually the first time from Services.msc before the credentials will be accepted (reports are infrequent and the causes currently unknown).

If Seq still will not start, ensure the account has:

• Read/write access to storage locations - the account must be able to read and write the configured storage location (by default C:\ProgramData\Seq) as well as the log file location (C:\ProgramData\Seq\Logs, even if storage is configured differently)
• Permission to listen on the hostname/port/path - netsh http add urlacl can be used to configure this manually

Attempting to start Seq interactively with runas /user:<username> seq run can sometimes reveal issues in the server's console output, if the log file in C:\ProgramData\Seq\Logs does not show any information.