Procedure for forwarding system and application logs from a given winrm endpoint can be found at http://blogs.technet.com/otto/default.aspx
In order to forward security events, the following needs to be done at the endpoint:
If endpoint is Vista, WS08: Add “Network Service” to the “Event Log Readers” group. This is because limited users have access to read events from the security log – “Event Log Readers” group being one of them.
If endpoint is Win2k3 R2: The following CustomSD key needs to be set within “HKLM/SYSTEM/CCS/Services/EventLog/Security” to “O:BAG:SYD:(A;;CC;;;NS)”. This is because on Win2k3 there is no event log readers group. More info can be found at http://support.microsoft.com/kb/323076
If endpoint is XP SP2+: WinRM service needs to be running as LocalSystem