Works with following config now. Seems like error in kv. After I comment out kv, all works.
Do I need to install something to work with kv filter?

input {
udp {
port => 5514
type => "syslog"
}
}

filter {
mutate {
gsub =>
["message", ": ", ":",
"message", "^<[0-9][0-9][0-9]>", ""]
}

#kv {

field_split => ""," "

source => "message"

add_field => ["sourcetime", "%{date}:%{time}"]

}

#date { match => ["sourcetime","yyyy-MM-dd:HH:mm:ss"]}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}