So once you have the unix app installed, one of the things it does is monitors /var/log. However you can't seem to search the logs as if you add /var/log as a directory input. And since it is already monitored, you can't add it again. How do you fix this?
If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.
I think the difficulty arises in that the unix app puts the events into index="os".
1) Try adding index="os" to your search. I bet you'll be able to see the events then.
2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.