I have my forwarder sending audit.log data and most of the dashboards on the Linux Auditd app are populating and working correctly but I am wondering why I can't get the system call dashboard to do anything? I have the system call dashboard set to search across all hosts, posix users, commands, system calls, etc etc and the preset time is set to "all time" and I get nothing populating.
Run the search and remove the user query from it and see if there are any logs where user is not "unknown"