Hello there,
This behaviour is caused by the permissions that are configured for the following URLs:
http://+:5985/wsman/
http://+:5986/wsman/
On the event collector computer, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use these URLs. However, the default access control lists (ACLs) for these URLs allow access for only the svchost process that runs WinRM.
This article helps fix an issue that occurs when you use source-initiated event forwarding to send events to a Microsoft Windows Server event collector. https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector
Troubleshoot connecting computers to the server in Windows Server Essentials https://learn.microsoft.com/en-us/windows-server-essentials/support/troubleshoot-connecting-computers-to-the-server-in-windows-server-essentials
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer–