Service Account Requirements
When Seq is deployed on Windows, it is best practice to run the Seq Windows Service using a service account with non-administrative permissions.
When the account is created, it will not be able to log in as a service by default. Before configuring Seq, grant the service Log on as a Service rights (instructions).
The Seq service needs to be removed and re-added with the username and password of the service account supplied; this will also normally configure other required permissions for the account:
seq service uninstall
seq service install -u <DOMAIN\user> -p <password>
The username must be specified as DOMAIN\user
or MACHINE\user
.
Don't forget to supply the
--storage
argument toseq service install
if you want Seq data stored in a non-default location.
In some cases, if the service user is a domain account, then it must be started manually the first time from Services.msc before the credentials will be accepted (reports are infrequent and the causes currently unknown).
If Seq still will not start, ensure the account has:
- Read/write access to storage locations - the account must be able to read and write the configured storage location (by default
C:\ProgramData\Seq
) as well as the log file location (C:\ProgramData\Seq\Logs
, even if storage is configured differently) - Permission to listen on the hostname/port/path -
netsh http add urlacl
can be used to configure this manually
Attempting to start Seq interactively with runas /user:<username> seq run
can sometimes reveal issues in the server's console output, if the log file in C:\ProgramData\Seq\Logs
does not show any information.
Updated almost 3 years ago