Hi
it's not possible in Splunk anonimize data on Forwarders, data mask is performed at index time on indexers (see https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata )
the only way to mask data on forwarders (but it isn't easy) is to pre-parse logs using a script, I don't suggest to do this!

Anyway to do this follow this example (with example regexes):

on props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer, ticket-anonymizer

on transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
[ticket-anonymizer]
REGEX = (?m)^(.*)Ticket=\w+(\w{4}&.*)$
FORMAT = $1Ticket=########$2
DEST_KEY = _raw

Bye.
Giuseppe