All WinEvent logs go through the parsing rules defined in $SPLUNK_HOME/etc/system/local/props.conf and $SPLUNK_HOME/etc/system/local/transforms.conf.

These state the following;

props.conf:

[source::WinEventLog...]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
KV_MODE=none

etc, etc

transforms.conf:

[wel-message]
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(?<Message>.+)$
CLEAN_KEYS = false

[wel-eq-kv]
SOURCE_KEY = _pre_msg
DELIMS     = "\n","="
MV_ADD     = true

[wel-col-kv]
SOURCE_KEY = Message
REGEX      = \n([^:\n\r]+):[ \t]++([^\n]*)
FORMAT     = $1::$2
MV_ADD     = true

This means that anything with the source of WinEventLog:somthing will be run through the three field extracting transforms wel-message, wel-eq-kv and wel-col-kv. In that order.

wel-message splits the event into two fields, _pre_msg and Message.
wel-eq-kv splits the _pre_msg into field/value pairs based on 'equals' (=).
wel-col-kv splits the Message into field/value pairs based on colons (:).

However the REGEX in wel-col-kv requires that a newline preceeds the first capture group, and that newline does not exist in your first row.

Perhaps you could/should create new props.conf/transforms.conf stanzas in the /$SPLUNK_HOME/etc/system/local directory, which would be very similar, but the differently named. The props-stanza (from which the transforms are called) should be more specific, i.e. [WinEventLog:ErrorLogs], and the transforms that are called through the REPORT should be called welel-message, welel-eq-kv and welel-col-kv respectively (. Then the REGEX in welel-col-kv should have the leading newline made optional (by a question mark);

 [welel-col-kv]
 SOURCE_KEY = Message
 REGEX      = \n?([^:\n\r]+):[ \t]++([^\n]*)
 FORMAT     = $1::$2
 MV_ADD     = true

Hope this helps, at least a little bit.

Kristian