I think the difficulty arises in that the unix app puts the events into index="os".
1) Try adding index="os" to your search. I bet you'll be able to see the events then.
2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.
If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.