Did you succeed to resolve this correlated rule issue?
I try to collect the forwarded events logs using a windows server 2008 (collector).
I can see the security logs on the event viewer from the collector but the logs are not collected by enVision.
Do have an idea regarding this collection issue?
Did you configured the Windows Eventing Collector service to collect Forwarding events subscription ?
this subscription contains all the forwarded events from the other servers with all types (System, Security, Application and all events you enabled in the forwarding configuration).