Documentation
DocumentationDiscussions
Documentation
These docs are for v4. Click to read the latest docs for v2024.3.

SSL

SSL helps keeps your event data and user credentials secure

Seq can serve its web user interface and event ingestion endpoint over SSL. A license key is required in order to use this feature.

Certificates

To configure SSL for Seq, you'll first need a certificate for the hostname that Seq is serving on. I.e. if you want to use Seq at https://my-seq.mycompany.com then you'll need an SSL certificate for that domain.

🚧

For SSL to provide effective security, you need to ensure that both the apps writing log events, and the client machines used to browse to Seq web user interface, trust the certificate assigned to the Seq server.

It is possible to disable certificate validation in apps, or ignore certificate validation warnings in web browsers, but in both of these cases it is unlikely SSL provides any material protection against an observer intercepting communication with the server.

The certificate needs to be stored in the Local Machine/Personal certificate store on the Seq server.

If you don't generally issue certificates for machines in your organisation, you can follow these instructions to generate a self-signed certificate.

Finding the Certificate Thumbprint

The easiest way to obtain the certificate's thumbprint or "hash" is via IIS Manager's Server Certificates page.

921

Copy the thumbprint to the clipboard as-is.

📘

To retrieve the thumbprint for a certificate without IIS Manager, open the Manage computer certificates app from the Windows Start screen.

Configure Seq

With the certificate installed and the thumbprint located, the last step is to configure Seq to listen at an HTTP URI.

The command-line below shows the complete process. If you've used named instances of Seq, or installed to a custom data folder, you'll need to include those parameters as appropriate.

The instructions assume that Seq will listen on the standard HTTPS port 443.

seq bind-ssl --thumbprint="THUMBPRINT HERE"
seq config -k api.listenUris -v https://YOURSERVER
seq restart

The bind-ssl command accepts a --port= parameter, and this should be specified if the Seq listening endpoint is different from the HTTPS default of 443. Run seq help <command> to see complete options for any of the commands above.

Seq 4.1 specify --hostname= if the server is using SNI to distinguish between multiple hosted domain names.