If you analyze winrm RootSDDL in version 1.1 and 2.0 you can observe that different groups get access to winrm by default.
You configure Windowsd Vista 4.4 Collector and you add normal windows user and Network Service Account to the Event Log Readers Group. The collector works as designed. You can collect Vista/Win2008 events but when you run the winrm get winrm/config/service in version 2.0 you can see that in Root SDDL Event Log Reader is not listed there.
The question is where the access to Event Log Readers is defined.
1. WINRM 1.1 output from winrm get winrm/config --Event Log Readers group has access to winrm
2. WINRM 2.0 output from winrm get winrm/config --Only Built in Administrators has access to winrm
Once you add user and network service account to the Event Log Readers they are able to connect to winrm. This indicate that access for EventLog object is defined by different URI.
In WINRM 2.0 access to the EventLog object is identified by the following URI: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
To verify the access to EventLog object please run the followin command:
winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
For more information please follow the Microsoft Documentation.