Using HeartSuite Core Secure Log

Overview: The Dashboard and its review queues are the primary way to review and resolve permission events. The HeartSuite Core Secure activity log (/.hs/sys/hs-activity-log.txt) is available for advanced troubleshooting and for understanding what the review queues process behind the scenes.

Dashboard Review Tools (Primary)

The Dashboard shows pending event counts for each queue and provides a Suggested Next Step. Select a queue to begin reviewing.

The three review queues — Programs ([p]), File Access ([f]), and Internet Access ([i]) — parse log data automatically, enrich it with package metadata, and present events through the tiered review model. You do not need to read raw log files to complete allowlisting.

For details on the review process, single-key actions, and the tiered model, see Allowlisting Basics.

The HeartSuite Core Secure Activity Log (Advanced)

The activity log at /.hs/sys/hs-activity-log.txt records all permission events in text format. It is useful for:

• Confirming that a specific program or file access was logged
• Troubleshooting when the Dashboard shows zero pending events but a program still fails
• Scripting and automation workflows that need raw event data

Log Message Formats

Program execution events:

[Setup Notice - Add program to Allowlist?] Not Whitelisted: /usr/bin/nano

File access events:

[Setup Notice - Add to Allowlist?] File Access Attempt Logged: Program: /usr/bin/nano; File: /etc/ld.so.cache

Network connection events:

[Setup Notice - Add to Network Allowlist?] Network Connection Attempt Logged by /usr/bin/wget; IP: 45.60.22.168

Viewing the Log

The log requires root access to read:

# cat /.hs/sys/hs-activity-log.txt

To filter for specific programs:

# grep nano /.hs/sys/hs-activity-log.txt

When to Use the Raw Log