It's not the current version, but due to multiple reasons in my environment we are still running Splunk Enterprise r6.3.0. This has worked fine with Splunk Universal Forwarder versions 6.3.0, 6.3.11, 6.3.13, and 6.5.9, on windows 10 and windows 2012r2 server. However that's when we install the UF using the msi invoked GUI, with all the windows event log boxes checked so that we get event logs forwarded to the indexer. But now, I need to install the UF by invoking a command line. So, I've used the following command below to install. The results are that the UF is installed, perfmon is forwarded, but not windows event logs.
I've read through a number of community answers, the installation doc and searched on google, but can't seem to find anything indicating that there's an issue with setting up forwarding for windows event logs when installing by command line. Would anyone have a suggestion? Am I missing something with the command line invocation?

Note: The following executed as administrator, and running with the default user of Local System. And yes, the ports the port numbers are the same used when doing a manual GUI install. Again, perfmon is being forwarded. Also, you see this is 6.5.9, but I've also tried this with the 6.3.13 installer msi.

msiexec.exe /i splunkforwarder-6.5.9-eb980bc2467e-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="SPLUNKENTERPRISE_FDQN:9997" DEPLOYMENT_SERVER="SPLUNKENTERPRISE_FDQN:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 PERFMON=cpu,memory,network,diskspace /quiet