Assuming that the events were forwarded from the original host to the collector in "RenderedText" format, then they should have a message field that contains the full text of the event. The event_data.* fields are the raw data that was provided by the application that logged the event. This is included in the event published by Winlogbeat so that you don't have to grok the message field to extract data needed for other analysis you might want to do.
To debug the issue I would add the include_xml: true configuration option so that the raw XML event that was forwarded by the original host is included. Then you can check this XML to see if it includes a RenderingInfo field with a message.
You should also enable debug logging (logging.level: debug) and check the log for problems (or post it to pastebin or gist and I can take a look).
As a general note about your config, I also recommend adding a forwarded tag events read from the ForwardedEvents log so that you can easily tell that they were forwarded. WIthout this tag it can be difficult to know since the log_name field gets set to the original log name.
It appears that the indentation is wrong in the config you posted.
winlogbeat.registry_file: 'C:/Elkwin_Free_x64/winlogbeat/.winlogbeat.yml'
winlogbeat.event_logs:
- name: ForwardedEvents
level: critical, error, warning
forwarded: true
include_xml: true
tags: [forwarded]
output.elasticsearch:
hosts: ["localhost:9200"]
logging.level: debug
logging.to_files: true
logging.files:
path: 'C:/Elkwin_Free_x64/winlogbeat/Logs'
rotateeverybytes: 10485760
keepfiles: 7