This is what I get from universal forwarder :

Message=Security Enabled Global Group Member Removed:  
    Member Name:    -  
    Member ID:  %{S-1-5-21-1659004503-813497703-682003330-1006}  
    Target Account Name:    None  
    Target Domain:  TEST-4  
    Target Account ID:  %{S-1-5-21-1659004503-813497703-682003330-513}  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

This is a same event but see in Event Viewer :

Description:  
Security Enabled Local Group Member Removed:  
    Member Name:    -  
    Member ID:  TEST-4\temp1  
    Target Account Name:    Administrators  
    Target Domain:  Builtin  
    Target Account ID:  BUILTIN\Administrators  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

You will see that some fields are different e.g. Member ID, Target Account Name,Target Domain,Target Account ID.
How can I config splunk forwarder to get the same data as I see in event viewer?

Why forwarder change data before send to indexer?