If you’re running lnav in production, and you’re streaming logs over the network, Transport Layer Security isn’t optional. It’s your first and last line of defense between your sensitive log data and anyone who might be watching. Configuring TLS for lnav is not hard—but it does demand precision. One missed setting, one bad certificate path, and your secure pipeline is suddenly clear text again.
This is the definitive guide to lnav TLS configuration. We’ll walk through generating certificates, setting up the config files, and making sure your log data stays encrypted end-to-end. Every command, every flag, every relevant lnav-specific setting—without fluff.
Why TLS for lnav Matters
Without TLS, messages between lnav and its sources or outputs can be intercepted or modified. TLS encrypts the data so only the intended recipient can read it. It also authenticates both sides of the connection using certificates, which helps prevent man-in-the-middle attacks. That means your log data stays private, and you can trust what you’re seeing.
Preparing Your Certificates
- Generate a private key
openssl genrsa -out server.key 2048
- Create a certificate signing request (CSR)
openssl req -new -key server.key -out server.csr
- Sign the certificate (self-signed or via your CA)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Place the generated server.key and server.crt files in a secure directory. Restrict file permissions so that only the process running lnav can read them.
Configuring lnav with TLS
In your lnav configuration file, set the following parameters:
tls:
enable: true
certificate: /path/to/server.crt
private_key: /path/to/server.key
ca_certificate: /path/to/ca.crt
verify_peer: true
Key parameters explained:
enable: Turns on TLS for lnav connections.certificate: Path to your signed certificate.private_key: Path to your private key file.ca_certificate: Certificate Authority file for validating peers.verify_peer: Ensures that the connecting party presents a valid certificate.
Testing Your TLS Setup
Verify the configuration locally:
lnav --tls-test
For a live certificate check:
openssl s_client -connect yourserver:port -CAfile /path/to/ca.crt
This will confirm that your TLS handshake completes successfully, using the intended certificate chain.
Common Pitfalls
- Mismatched hostnames: The certificate’s Common Name (CN) or Subject Alternative Name (SAN) must match the hostname clients use to connect.
- Expired certificates: Automate renewal for production via acme clients like Certbot.
- Weak ciphers: Configure your TLS to use modern cipher suites only. Disable TLS 1.0 and 1.1.
Deploy and Secure Your Pipeline
Once your certificates are in place and the config is correct, restart lnav. Your data is now encrypted in transit. If you connect multiple lnav instances to the same secure log source, ensure each has its own valid certificate for mutual TLS authentication.
TLS is not just a feature—it's a requirement for safe and reliable log analysis over a network. With lnav properly secured, you can focus on what the logs are telling you, not who might be reading them.
Spin this up fast and see it in action on hoop.dev—you can have your secure lnav environment live in minutes, without the guesswork.