Documentation
DocumentationDiscussions
Documentation
These docs are for v2024.1. Click to read the latest docs for v2024.3.

HTTPS (TLS/SSL)

HTTPS helps keep your event data and user credentials secure

Seq can serve its web user interface and event ingestion endpoint on HTTPS.

Certificates

To configure HTTPS for Seq, you'll first need a certificate for the hostname that Seq is listening on. I.e. if you want to use Seq at https://seq.example.com then you'll need an SSL certificate for that domain.

🚧

For TLS to provide effective security, you need to ensure that both the apps writing log events, and the client machines used to browse to Seq web user interface, trust the certificate assigned to the Seq server.

It is possible to disable certificate validation in apps, or ignore certificate validation warnings in web browsers, but in both of these cases it is unlikely TLS provides any material protection against an observer intercepting communication with the server.

The certificate needs to be stored in the Local Machine/Personal certificate store on the Seq server.

If you don't generally issue certificates for machines in your organisation, you can follow these instructions to generate a self-signed certificate.

Finding the Certificate Thumbprint

The easiest way to obtain the certificate's thumbprint or "hash" is via IIS Manager's Server Certificates page.

921

Copy the thumbprint to the clipboard as-is.

📘

To retrieve the thumbprint for a certificate without IIS Manager, open the Manage computer certificates app from the Windows Start screen.

Configure Seq

With the certificate installed and the thumbprint located, the last step is to configure Seq to listen at an HTTP URI.

The command-line below shows the complete process. If you've used named instances of Seq, or installed to a custom data folder, you'll need to include those parameters as appropriate.

The instructions assume that Seq will listen on the standard HTTPS port 443.

seq bind-ssl --thumbprint="THUMBPRINT HERE"
seq config set -k api.listenUris -v https://YOURSERVER
seq service restart

The bind-ssl command accepts a --port= parameter, and this should be specified if the Seq listening endpoint is different from the HTTPS default of 443. Run seq help <command> to see complete options for any of the commands above.

Specify --hostname= if the server is using SNI to distinguish between multiple hosted domain names.

Cipher Suites and Protocol Versions

Because Seq uses the Windows HTTP stack, configuration for TLS cipher suites and protocol versions is the same as for IIS on Windows.

We recommend using a configuration tool such as IISCrypto by Nartac Software to view, disable, and enable various cipher suites and protocol versions.