I do not use the ESF, but looking for it the _id field is indeed created by the forwarder as this github issue makes clear.
For what I understood it is used to avoid duplicates in Elasticsearch.
The documentation on how the Logstash pipeline for the ESF should look like is non-existent, but I think that if you add the following line in your elasticsearch output in your Logstash configuration it should work:
document_id => "%{_id}"
This will tell Elasticsearch to use the _id field as the id of the document and should avoid the mapping error that you are getting.