Are you monitoring any other files from the forwarder where you want to collect WinEventLogs?
WinEventLog is a modular input, it does not monitor files, but query the windows Winevent endpoint.
Splunk uses a checkpoint to identify the latest event id collected per channel.
If you want to reindex a channel, you can reset the checkpoint.
1- stop splunk
2 - Look on the forwarder in a folder like $SPLUNK_HOME\var\lib\splunk\modinputs\wineventlogs
and in side the folder you will find a file (xml format) for each channel (security, applications etc..)
3- remove the file
4- restart splunk
it should cause the forwarder to forget the last checkpoints, and restart from the beginning.
warning : It may cause duplicates, as it will resend them all, and it may take some time to backfill all the events, if they are several month of old data.