I've been looking into this for clients in Europe, and while I haven't tried it all in detail, I think the following items will give you a workable solution:
Do keep in mind the original log message cannot be modified, and will either be stored as received, or it will be filtered/truncated. (Filter removes log and meta, and truncate remove raw log and keeps meta).
For the meta, we have more options, and we can follow two approaches:
1) For meta for which there is an exhaustive list (internal email addresses, internal ip addresses, hostnames usernames), we can setup feeds that will add a custom token for each value. The list would need to be prepared (based on CMDB dumps, Active Directory exports, etc) and be set up as a recurring feed. This would require some scripting but you are effectively preprocessing tokenization.
2) For meta for which there is no exhaustive list (internet ip addresses, other email addresses, etc) the only approach is to use a custom parser that will obfuscate the value. (I still need to write this, but I imagine a meta callback parser in Lua that runs an MD5 or CRC32 on a meta value would not be too difficult).
Don't forget to set the original meta to "Transient" in your table-map-custom.xml, or it will store the original data as well, defeating the point of the whole exercise.
Also there is an interesting security features in the Concentrator called the 'sdk.roles', if you go to Explorer (/sdk/config, I think) you can set this to value '2' and this will enable an additional security model giving you RBAC access to individual meta keys. (It will cause a slight performance hit of course)
Michel.
(updated 2014-03-17 to reference correct table-map-custom.xlm)
