If you have a machine that is unexpectedly not forwarding event to Windows Event Forwarder (WEF) server then the following checks may assist.
Check if the machine is subscribed from the WEF server.
If the machine is not subscribed complete checks from the machine itself.
Check the logs at Microsoft-Windows-Eventlog-ForwardingPlugin/Operational. The below shows the subscription “test” is unsubscribed, thus events will not be sent to the WEF server.
Check the machine can communicate with your WEF server using PowerShell and the command “Test-NetConnection <Event Collector Server> -Port 5985”
A result of “TcpTestSucceeded : True” indicates success.
Assuming communication with WEF server is not blocked check that Windows Remote Management service is enabled. This should be enabled by policy so that it always starts, thus if it is not running, check policy settings so that the issue does not reoccur.