Thanks, that's what I was getting at. I am testing the log forwarding and have been all week. I had come to the same conclusion as your post. When I changed the destination log to the Windows default logs of the collected then all was good. I have to go back and take a look at LEM as I haven't specifically looked to see if my test events went through with the originators workstation name.
I do know however that if you turn the "Computer" column on in the Windows Event Viewer then the log IS associated to the sending computer.
As for the agent benefits, I do agree. The issue I am trying to work around is having agents on our critical servers where possible. We like to keep our servers as light weight as possible and so if I can get those logs without an agent then there is a big benefit for us. As for USB defender, we have another solution to capture those events.
Thank you for your response and confirming some of what I thought I had learned in this testing.