Non-domain Windows Event Forwarding security

Microsoft's instructions for configuring Windows Event Forwarding from event source computers to an event collector server that isn't in the same domain with the sources seems wildly problematic from a security standpoint (https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription#setting-up-a-source-initiated-subscription-where-the-event-sources-are-not-in-the-same-domain-as-the-event-collector-computer). The instructions walk you through enabling certificate-based authentication for WinRM (Windows Remote Management) on the event collector server, then mapping the client certificates presented by the event source computer to a "local administrator account" on the event collector server. This strikes me as ridiculously insecure and unwise, especially when what I'm trying to do is get non-domain hosts in a DMZ to send events to a domain server on an internal network. I saw someone else describe this as "handing out a root login on a syslog server to a syslog source."

Is there a less irresponsible way to set this up?

I also saw this requirement and it looked to me absolutely ridiculous from the security point of view, as there is no reason that the administrator account get such privileged access.

To mitigate this, and instead of granting read access permissions to the "Administrator" account on the concerned certificate private key, I simply granted this access to the "Network system" account. And it worked!

However I found quiet complex to apply such a change on a large organization and you may need to script it to make it happening. Hope it helped...