As best as I can tell there is a bug between the Splunk Enterprise Security App and Splunk Add-On for Windows. The Splunk Enterprise Security App Windows Event Log Cleared looks for sourcetype=wineventlog:security. However the Splunk Add-On for Windows props file that renames wineventlog:security back to wineventlog causing the Windows Event Log Cleared to never fire.
Additionally, the transform regex may be wrong, not sure, could not get it to fire as written so I created a custom transform, (?m)^LogName=(\S+).
I guess sort of a question, I am new to transforms and props configuration files so it was a sanity check. Maybe my team and I made a mistake and installed a later version of the Add-On for Microsoft version 5.0.1 but we believe it came with ES 5.20 when we installed hence our confusion and concern if it is a known issue. This is a test environment so maybe we missed something. Thanks for the info.