Windows Event Log Forwarding
For Windows Vista, 7 and 2008:
The Windows-Eventcollector service (wecsvc) on the source-computers, which forwards the events to the collector-computer(s) if you are using Source-initiated Subscription, runs as "Network Service" account. But the Network-Service account does not have access to the Security event log. The local group "Event Log Readers" has access to all logs. That means on each source-computer you need to add the "Network Service" account to the local "Event Log Readers" group so the Windows-Eventcollector service has access to the Security event log and so it can forward it to the collector-computer(s).
Using SDDL (Security Descriptor Definition Language) you can also redefine the permissions on the different event logs using wevtutil, but that is more complex, which means you could easily break something or cause unwanted effects if you don't read up on this and carefully formulate the SDDL before you do anything.
It may be that the Path attribute in the Query block is filtering it. It should work without it:
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>