Kestrel on Windows
Seq uses Windows built-in HTTP.sys web server by default. The Kestrel web server is an alternative with better support for some modern web technologies, including the HTTP features required for OTLP/gRPC service hosting.
Kestrel is the default and only supported web server option when hosting Seq on Linux, and has been used in this role since the Seq 5.0 release in 2018.
Feature differences
This section compares Seq hosted under Kestrel with Seq under HTTP.sys. It's not exhaustive, but should point out what you can expect to gain and lose by enabling Kestrel instead of HTTP.sys.
✅ Enabled by Kestrel
- OTLP/gRPC ingestion is enabled (HTTPS only)
- TLS certificates may be loaded from the
Certificates\
storage folder in PFX or PEM format as on Linux
⛔ Unsupported with Kestrel
- Windows Integrated Authentication via NTLM/Kerberos/Negotiate is unsupported (Active Directory authentication remains supported, but users must supply a username and password to the Seq login screen)
seq bind-ssl
is unsupported; this command configures HTTP.sys (see below for TLS configuration instructions for Kestrel)- SNI is unsupported
- Hosting Seq under a "virtual directory" path is unsupported
- Only one Seq instance can listen on each port
- Incoming requests will not be filtered by hostname
Enabling Kestrel
At install time or by running Seq Service Administration
The Seq Service Administration wizard supports configuring Kestrel via the "configure Kestrel instead" hyperlink beneath the Listen URI text field:
Selecting "configure Kestrel instead" will modify the available options and fully configure Kestrel on completion of the wizard.
The wizard can be found under the Windows Start menu.
At the command line
From an administrative PowerShell prompt:
seq config set -k api.webServer -v Kestrel
seq service restart
However, be careful to check the api.listenUris
setting to ensure that Seq listens at most once at each port. If multiple api.listenUris
entries exist for the same port, Seq will fail to start. Use the seq config
commands to show and manipulate this setting.
See also the section on TLS configuration immediately below.
TLS configuration
When hosting Seq under Kestrel on Windows, Seq searches the Local Computer\Personal
certificate store for SSL certificates that:
- Match the hostname portion of the HTTPS URI Seq is configured to serve traffic for; e.g. if
https://seq.example.com
is configured in the installation wizard, Seq will look for a certificate with subjectCN=seq.example.com
("Issued to"seq.example.com
), and - That include a private key.
The Seq service account also needs appropriate permissions to read these certificates; this is set automatically by the Seq Service Administration tool/install wizard, but will have to be manually applied if configuring Seq via the command-line.
To check or add these permissions, find the certificate in certlm.msc
:
Then, right click on the certificate, select All Tasks, Manage Private Keys..., and add the SeqDefaultInstance
service account (or other service account used by Seq) with full control to the permissions associated with the certificate.
Switching back to HTTP.sys
If for any reason you need to switch Seq from Kestrel to HTTP.sys, the best approach is to reconfigure Seq by running Seq Service Administration from the Windows Start menu, and leaving the default HTTP.sys web server configuration selected.
To switch back manually, at an administrative PowerShell prompt run:
seq config clear -k api.webServer
seq service restart
You may need to consult the logs in C:\ProgramData\Seq\Logs
to diagnose any problems arising from differences in configuration.
Updated over 1 year ago