@Butterfly Bones, I have the sense you are fighting this too hard. If you let scribe do its thing, you should end up in the right place.
1. Uninstall scribe. Check to see that the /opt/etc/init.d/S01syslog-ng and rc.func.syslog-ng files are gone. Check to see the /opt/etc/logrotate.d and /syslog-ng.d directories are gone. Delete the logs in /opt/var/log EXCEPT for the Dnsmasq logs. Killall syslog-ng.
2. Now, copy the curl instruction from post 1 and install scribe. This is to insure you start with the corrected 0.9.1.
3. run "pidof syslog-ng". You should get two numbers. Run "pidof klogd" and "pidof syslogd"; neither should return a number.
4. In firewall settings, make sure that the custom location is now /opt/var/log/syslog-o.
5. From examples, copy the skynet and openvpn configs back to /opt/etc/syslog-ng.d. Make sure they do not have a kernel source. I don't think you need to bother with logrotate until you've got the rest working.
6. In s01syslog-ng, see that the only source statement that isn't commented out is the src {system(); internal();} statement.
7. Scribe restart. Repeat #3.
Here is the sequence of how the skynet log statements work (I think):
1. Iptables uses the kernel logger to generate its BLOCKED statements. Those go to the /proc/kmsg file. Syslog-ng picks those up using the system() function, adds the timestamp and the host, and then they fall to the skynet config, where they are sent to syslog-o and further processing of that message stops. Other kernel or system log messages are picked up, don't hit one of the separate configs, and get written to /opt/var/log/messages. That message file is symlinked to /tmp/syslog, which appears in the webgui.
If skynet is pointed to /tmp/syslog for any reason, this breaks, and almost everything about skynet stats breaks, because what happens next doesn't happen.
2. Hourly, cron runs the /jffs/scripts/firewall save command. That runs the Purge_Logs function in skynet, which takes all the Blocked messages and copies them to the /skynet/skynet.log file and the events.log file. Then it deletes all of those messages from the syslog-0 file. Then, it runs stats, because anytime a command is run, stats is run. Stats reads the skynet.log file, and then prints that hourly stats line to the system logger using the function Print_Log. That message gets picked up by the system() function, and then is sent by syslog-ng to the skynet-0 file. (I confess I'm having a hard time understanding exactly how and what Purge_Logs is doing here, because of the tildes and the !d stuff, and how Print_Log gets called). If you've changed the skynet log location, Purge_Logs will run on the file it reads from the symlink to messages, which doesn't have any skynet messages, and then destroy the symlink, which means the webui doesn't ever see messages again, even though syslog-ng is still running. It also means no lines are written to the skynet.log file and events.log file, and no stats are there to be generated. That will continue until you do scribe restart, which will through a bit of cleverness by
@cmkelley, notice that the symlink is gone and reform it. But at the hour it will get broken again, because it doesn't change the skynet setting.
I am not getting an hourly stat message either, but I think that is because one isn't being generated by skynet, not anything to do with this. I'm not sure why.