If you analyze winrm RootSDDL in version 1.1 and 2.0 you can observe that different groups get access to winrm by default.
Symptoms You configure Windowsd Vista 4.4 Collector and you add normal windows user and Network Service Account to the Event Log Readers Group. The collector works as designed. You can collect Vista/Win2008 events but when you run the winrm get winrm/config/service in version 2.0 you can see that in Root SDDL Event Log Reader is not listed there.
The question is where the access to Event Log Readers is defined.
1. WINRM 1.1 output from winrm get winrm/config --Event Log Readers group has access to winrm
2. WINRM 2.0 output from winrm get winrm/config --Only Built in Administrators has access to winrm
Once you add user and network service account to the Event Log Readers they are able to connect to winrm. This indicate that access for EventLog object is defined by different URI.