and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and:
Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly?
Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could as well be some mail triggering this, depending on the sickness of some software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs from that time. Check if you have an automounter running. At last, use the tmpwatch package (temp-watch -d /etc) to check, it's more like winning a race if you want to see something, but still. (Hint for winning the race: Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets sluggish then, of course.) The tool isn't really that smart...
Matthias Riese
Roman.
Maybe that will be your final solution: I did following: google: file hook linux and got that: http://www.sysinternals.com/linux/utilities/filemon.shtml Let me now wether it meet your needs. Huhu, they wrote that stuff using kylix, so i'll be able to patch it down to console if it necessary. Michael