Audit log categories help to identify events of interest without enumerating every event. In audit.3, events must be logged under one of the categories in the table below. audit.2 logs may use the same categories but they are not enforced and usage is considered best effort. Refer to Audit logging overview for more information about the differences between the audit.2 and audit.3 schema.
An example auditing workflow using categories could be:
dataLoad.allLogs.filter { log -> interestingCategories.any { log.categories.contains(X) } }
request_params and result_params reflect the specific information submitted and viewed by a user. The request and response params are split to allow the consumer to differentiate between parameters that are provided by request and those that are part of the response as the result of the interaction.For example, if your log contains the dataLoad category, then the request_params and/or the result_params will contain contain a list of all the resources loaded by the user during this interaction.
Below are the available audit log categories.
| Audit Log Category | Category Description | Request Fields | Response Fields |
|---|---|---|---|
appConfigAccess | Load application-specific configuration. These may be tied to a user or resource. | accessedAppConfigIds docs: The application resources that were accessed in this event. type: required classification: RESOURCE accessAppConfigDescription docs: A description of the configuration access. type: required classification: CONSTANT | |
appConfigCreate | Create application-specific configuration. These may be tied to a user or resource. | createAppConfigDescription docs: A description of the configuration creation. type: required classification: CONSTANT | createdAppConfigIds docs: The application resources that were created in this event. type: required classification: RESOURCE |
appConfigDelete | Delete application-specific configuration. These may be tied to a user or resource. | deletedAppConfigIds docs: The ApplicationResouces that were deleted in this event. type: required classification: RESOURCE deleteAppConfigDescription docs: A description of the configuration deletion. type: required classification: CONSTANT | |
appConfigSearch | Search for application-specific configuration. These may be tied to a user or resource. appConfigSearch should be used when the exact result values of a request are unknown, or variable. | appConfigSearchQuery docs: The search-query that this event is running. type: required classification: USER_INPUT | appConfigSearchResults docs: The search-results that are returned to the user in this event. type: required classification: RESOURCE |
appConfigUpdate | Update application-specific configuration. These may be tied to a user or resource. | updatedAppConfigIds docs: The application resources that were updated in this event. type: required classification: RESOURCE updateAppConfigDescription docs: A description of the configuration update. type: required classification: CONSTANT | |
assetFileLoad | Loads a file from a static asset its full coordinate, such as group, artifact, and version. | requestMavenCoordinate docs: Maven coordinate for the asset requested. Might not include groupId or version. type: required type: required classification: METADATA | responseMavenCoordinate docs: The full maven coordinate for the returned asset. type: required classification: METADATA |
authenticationCheck | Checks authentication status via a programmatic or manual authentication event, such as token validation. | authenticationCheckTargets docs: The identifiers that auth is being checked against. type: optional classification: RESOURCE | authenticationCheckResult docs: Whether this authentication check succeeded or not. type: required classification: METADATA authenticationCheckResultMessage docs: Further details on this authentication check result. type: optional classification: CONSTANT |
authorizationCheck | Checks authorization status via a programmatic or manual authorization event, like checking permissions. | authorizationCheckTargets docs: The identifiers that auth is being checked against. type: optional classification: RESOURCE authorizationCheckOperations docs: The values within the authorization attempt, such as the permission being checked for. type: required classification: METADATA | authorizationCheckSucceededTargets docs: Targets that passed authorization. type: required classification: RESOURCE authorizationCheckFailedTargets docs: Targets that failed authorization. type: required classification: RESOURCE authorizationCheckResultMessage docs: Further details on this authorization check result. type: optional classification: CONSTANT |
bulkDataImport | Bulk imports to the platform. Differs from dataImport in that the direct relationship between destinations and origins may not be known. | bulkImportedFiles docs: The files that were imported type: required classification: METADATA | bulkImportDestinations docs: The destination for the bulk imports. type: required classification: RESOURCE |
cancelCodeExecution | Cancellation of an existing code execution. | cancelledExecutedResources docs: The specific resources that were being executed before cancellation. For example, this could be a modelUUID or a buildRID. type: required classification: RESOURCE cancelledExecutedResourceEnvironment docs: The encompasssing environment for the resources that were being executed before cancellation. For example, this could be a liveRID or a workbookRID. type: required classification: RESOURCE | |
codeExecution | Occurrence of code execution, which might not write results to a dataResource. | executedResourceEnvironment docs: The encompasssing environment for the resources that were executed. For example, this could be a liveRID or a workbookRID. type: required classification: RESOURCE | executedResources docs: The specific resources that were executed. For example, this could be a modelUUID or a buildRID or if run on a container, pass in the identifier of the container. type: required classification: RESOURCE |
configureInfra | A user configures some infrastructure like a node or a service. | configureInfraTargets docs: The SystemResources that are being configured. type: required classification: RESOURCE | configureInfraRequestId docs: The request-id of this configuration event. type: required classification: METADATA |
containerLaunch | Registers the preparation of a compute environment. This should be emitted when, for example, a Spark module is launched. If possible, pass in a location identifier of the compute environment like a host name. | requestedContainerIdsToLaunch docs: The IDs of the resources that were requested to be launched. type: optional classification: RESOURCE | launchedContainerIds docs: The IDs of the resources that were launched. type: required classification: RESOURCE |
containerLoad | Registers the load of a compute environment. This should be emitted when, for example, a spark module is read. If possible, pass in a location identifier of the compute environment like a host name. | requestedContainerLoadIds docs: The IDs of the resources that were requested. type: required classification: RESOURCE | loadedContainerLoadIds docs: The IDs of the resources that were loaded. type: required classification: RESOURCE |
containerSearch | Registers the search of compute environments. This should be emitted when, for example, spark module list is read. | containerSearchQuery docs: The search-query that this event is running. type: optional classification: USER_INPUT | containerSearchResults docs: The search-results that are returned to the user in this event. type: required classification: RESOURCE |
containerStop | Registers the shutdown of a compute environment. If possible, pass in a human readable reason for the shutdown, for example "failure" or "user request". | stoppedContainerIds docs: The IDs of the resources that were stopped. type: required classification: RESOURCE containerStopReason docs: The reason why the resource was stopped. type: optional classification: CONSTANT | |
createInfra | A user creates some infrastructure like a node or a service. | createInfraTargets docs: The SystemResources that are being created. type: required classification: RESOURCE | createdInfraResources docs: The SystemResources that were created. This should have a more explicit identifier. type: required classification: RESOURCE |
dataCreate | Indicates the addition of some new entry of data into the platform where it did not exist prior. This event may be reflected as a dataPromote in a separate service if it is logged in the landing service. | createdResources docs: The DataResources that were created in this event. type: required classification: RESOURCE | |
dataDelete | Related to the deletion of data, independent of the granularity of that deletion. | deletedResources docs: The DataResources that were deleted in this event. type: required classification: RESOURCE | |
dataExport | Export of data from the platform. Use for things like downloading data from the platform, such as a system external to Palantir, csv file and more. If data was exported to another Palantir system, use the dataPromote category. | downloadedResources docs: All resources that were downloaded in this event. type: required classification: RESOURCE | downloadedSize docs: The size, in bytes, of the downloaded data. type: required classification: METADATA |
dataImport | Imports to the platform. Unlike dataPromote, dataImport refers only to data being ingested from outside the platform. This means that a dataImport in Palantir Gotham could show up as a dataPromote in a separate service. | importedFilename docs: The filename of the imported data. type: required classification: DATA importedFileType docs: The filetype of the imported data. type: required classification: METADATA importParentResourceId docs: The parent of the destination resource. type: optional classification: METADATA | importResourceId: docs: The destination resource for the imported data. type: required classification: METADATA importedSize docs: The total size, in bytes, of the imported data. type: optional classification: METADATA |
dataLoad | Refers to the loading of data to be returned to a user. For purely back-end loads, use internal. | loadedResources docs: The DataResources that were loaded in this event. type: required classification: RESOURCE | |
dataMerge | Refers to the combination of two datasources into one. This would be triggered by a JOIN in Contour or a Resolution event in Palantir Gotham. | resourcesToMerge docs: The resources that were merged in this event. type: required classification: RESOURCE | mergedResult docs: The resultant DataResource from the merging of the resources. type: required classification: RESOURCE |
dataPromote | Indicates that a user promoted data to an external Palantir system, Gotham or otherwise. | promotionDestinations docs: The destinations to which the DataResources were promoted to. type: required classification: METADATA promotionDescription docs: A description of this promotion event. type: required classification: CONSTANT promotedResources docs: The resources that were promoted to another system. type: required classification: RESOURCE | |
dataSearch | Searches of datasets, objects, or other searches for data within the system. | dataSearchQuery docs: The query that this search is executing. type: required classification: USER_INPUT dataSearchContext docs: Further information to contextualize the current query. This information is unstructured and should not be relied upon beyond informing auditors. type<common.ResourceContext> | dataSearchResults docs: All resources that were presented to the user by this search result. type: required classification: DATA |
dataShareCreate | Creation of a share of data. For example, when creating a link that grants access to resources on visit. | dataShareCreateId docs: An optional identifier for this share, if available. type: optional classification: METADATA dataShareCreateTargets type: required classification: RESOURCE | |
dataShareDisable | Deactivation of a mechanism to share data. For example, the disabling of a link that grants access to resources on visit. | dataShareDisableId docs: An optional identifier for this share, if available. type: optional classification: METADATA dataShareDisableTargets type: required classification: RESOURCE | |
dataShare | Discretionary share of data. | dataShareId docs: An optional identifier for this share, if available. type: optional classification: METADATA dataShareTargets type: required classification: RESOURCE dataShareReason docs: A human-readable reason this data was shared (e.g. "visited a share link"). type: required classification: CONSTANT | |
dataTransform | Transform one or more DataResources in some way. | transformTargets docs: The resources that were transformed. type: required classification: RESOURCE transformDescription docs: A description of the transformation that was performed. type: required classification: CONSTANT | |
dataUpdate | Updates or attempted updates of data. This is a catch-all field and we recommend using dataTransform or dataMerge instead. | ||
systemManagement | Modification of or access to metadata that determines the layout and configuration of applications on the environment. Replaced by appConfigCreate/Access/Update/Delete/Search in audit.3. | ||
infraLogsAccess | User requests logs from an infrastructure resource like a node or a service. | infraLogsAccessTarget docs: The SystemResource from which logs are being requested. type: required classification: RESOURCE | infraLogsAccessRequestId docs: The request-id of this access request event. type: required classification: METADATA |
internal | Catch-all for all internal events. These typically are low signal for audit users. | ||
logicAccess | Access of logic. For example, viewing a Contour analysis. | accessedLogicResources docs: All LogicResources accessed in this event. type: required classification: RESOURCE | |
logicCreate | Creation of new logic. For example, when a new Contour board is created. | createdLogicResources docs: All LogicResources created in this event. type: required classification: RESOURCE | |
logicDelete | Deletion of logic. For example, deleting a Contour board. | deletedLogicResources docs: All LogicResources deleted in this event. type: required classification: RESOURCE | |
logicSearch | Search of some logic. For example, searching for a Contour analysis. | logicSearchQuery docs: The query that this search is executing. type: required classification: USER_INPUT | logicSearchResults docs: All underlying LogicResources returned by this search request. type: required classification: RESOURCE |
logicUpdate | An update to existing logic. For example, when a user saves a file, a push to a stemma repo occurs, or the logic of an existing Contour board is updated. | updatedLogicResources docs: All LogicResources updated in this event. type: required classification: RESOURCE | |
managementGroups | Changes to group membership should always go through here. | groupPatches type: required classification: METADATA | |
managementPermissions | Anything that changes permissions on the platform. These logs should use the result_params changes field to enumerate the precise change that occurred. Examples include sharing a resource or changing a resource's provenance. | resourcesWithPermissionsChanges docs: The resources affected by the change in permissions type: required classification: RESOURCE permissionChangeContext docs: Further information to contextualise changed resources type: optional classification: METADATA | |
managementUsers | Changes and modifications to what users exist or their personal information. For events related to user permissions, use managementPermissions. For events where a user is added or removed from a group, use managementGroups. | managedUserIds type: required classification: METADATA | |
managementTokens | Specific action related to token management, such as enabling, disabling, or revoking tokens. | managedTokens docs: All tokens affected by the change. type: required classification: METADATA | |
managementMarkings | Anything that modifies access to mandatory controls. | markingPatches type: required classification: METADATA | |
mandatoryControlManagement | Privileged action affecting mandatory controls in the system. Replaced by managementMarkings in audit.3. | ||
mandatoryControlApplication | Privileged action affecting mandatory controls in the system. Replaced by managementPermissions in audit.3. | ||
metaDataAccess | Refers to the loading of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. As such, metadata may not have its own identifier but instead will be related to the data that it describes. | accessedMetaDataResources docs: The underlying DataResources that the accessed metadata describes. type: required classification: RESOURCE accessedMetaDataDescription docs: A description of the metadata access. type: required classification: CONSTANT | |
metaDataCreate | The creation of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | createdMetaDataDescription docs: A description of the metadata creation. type: required classification: CONSTANT | createdMetaDataResources docs: The underlying DataResources that the created metadata describes. type: required classification: RESOURCE |
metaDataDelete | The deletion of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | deletedMetaDataResources docs: The underlying DataResources that the deleted metadata describes. type: required classification: RESOURCE deletedMetaDataDescription docs: A description of the metadata deletion. type: required classification: CONSTANT | |
metaDataSearch | Search of metadata associated with a dataset, objects, or other searches for metadata within the system. | metaDataSearchQuery docs: The query that this search is executing. type: required classification: USER_INPUT | metaDataSearchResults docs: All underlying resources that had metadata presented to the user by this search result. type: required classification: RESOURCE |
metaDataUpdate | The updating of metadata. MetaData is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | updatedMetaDataResources docs: The underlying DataResources that the updated metadata describes. type: required classification: RESOURCE updatedMetaDataDescription docs: A description of the metadata update. type: required classification: CONSTANT | |
monitorAccess | Access of a monitor, for example viewing details about how it works. | accessedMonitorResources docs: The MonitorResources that were accessed in this event. type: required classification: RESOURCE accessedMonitorDescription docs: A description of the monitor access. type: optional classification: CONSTANT | |
monitorCreate | Creation of a monitor. | createdMonitorDescription docs: A description of the monitor creation. type: optional classification: CONSTANT | createdMonitorResources docs: The MonitorResources that were created in this event. type: required classification: RESOURCE |
monitorDelete | Deletion of a monitor. | deletedMonitorResources docs: The MonitorResources that were deleted in this event. type: required classification: RESOURCE deletedMonitorDescription docs: A description of the monitor deletion. type: optional classification: CONSTANT | |
monitorRun | Execution of a particular monitor, potentially triggering actions or notifications. | runMonitorTargets docs: The MonitorResources that were ran in this event. type: required classification: RESOURCE | |
monitorSearch | Searching for a monitor. | monitorSearchQuery docs: The search-query that this event is running. type: required classification: USER_INPUT | monitorSearchResults docs: The search-results that are returned to the user in this event. type: required classification: RESOURCE |
monitorUpdate | Update a monitor, potentially changing how it behaves. | updatedMonitorResources docs: The MonitorResources that were updated in this event. type: required classification: RESOURCE updatedMonitorDescription docs: A description of the monitor update. type: optional classification: CONSTANT | |
oauth2InitiateAuthFlow | Start the OAuth 2.0 Authorization Code flow with the external OAuth 2.0 server. | oauth2InitiateAuthFlowUser docs: The user for whom this oauth2 flow is being started. type: required classification: UID oauth2InitiateAuthClientId docs: The client-id the oauth2 flow is being performed for. type: required classification: RESOURCE | |
onBehalfOf | The request was made on behalf of other users, usually by a service user. | onBehalfOfUserIds docs: The upstream users. The first user ID is the most upstream user. type: required classification: UID | |
ontologyDataLoad | The loading of ontology data to be returned to a user. | ontologyDataLoadContext docs: Further context to identify this load request, such as the owning RID. type: optional classification: METADATA requestedOntologyDataResources docs: The OntologyDataResources that were requested in this event. type: required classification: RESOURCE | loadedOntologyDataResources docs: The OntologyDataResources that were loaded in this event. type: required classification: RESOURCE |
ontologyDataTransform | The modification of ontology data via patches or edits. | ontologyDataTransformTargets docs: The OntologyDataResources that the user intends to transform. type: optional classification: RESOURCE ontologyDataTransformContext docs: Further context to identify this transform request. type: optional classification: METADATA ontologyDataTransformDescription docs: A description of the transformation that was performed. type: optional classification: CONSTANT | transformedOntologyDataResources docs: The OntologyDataResources that were transformed by the request. type: optional classification: RESOURCE |
ontologyDataSearch | Search of ontology data within the system. | ontologyDataSearchContext docs: Further context to identify this load request, such as the owning RID. type: optional classification: METADATA searchedOntologyLogicResources docs: The logical selections included in this search. type: required classification: RESOURCE | ontologyDataSearchResults docs: All resources that were presented to the user by this search result. type: required classification: RESOURCE |
ontologyLogicAccess | Access of ontology logic. For example, viewing an object set or sets. | requestedOntologyLogicResources docs: The OntologyLogicResources that were requested. type: required classification: RESOURCE | loadedOntologyLogicResources docs: The OntologyLogicResources that were present in the response. type: required classification: RESOURCE |
ontologyLogicCreate | Creation of new ontology logic. For example, when a new object set is created. | createOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional classification: METADATA | createdOntologyLogicResources docs: All LogicResources created in this event. type: required classification: RESOURCE |
ontologyLogicDelete | Deletion of ontology logic, for example a new object set. | deleteOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional classification: METADATA | deletedOntologyLogicResources docs: All LogicResources deleted in this event. type: required classification: RESOURCE |
ontologyLogicUpdate | Update ontology logic, for example saving a new version of an object set. | updateOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional classification: METADATA | updatedOntologyLogicResources docs: All LogicResources updated in this event. type: required classification: RESOURCE |
ontologyMetaDataCreate | The creation of OntologyMetaDataResources. | createdOntologyMetaDataResources docs: All OntologyMetaDataResources created in this event. type: required classification: RESOURCE | |
ontologyMetaDataDelete | The deletion of OntologyMetaDataResources. | deletedOntologyMetaDataResources docs: All OntologyMetaDataResources deleted in this event. type: required classification: RESOURCE | |
ontologyMetaDataLoad | The loading of Ontology MetaData to be returned to a user. | requestedOntologyMetaDataResources docs: The OntologyMetadataResources that were requested. type: required classification: RESOURCE | loadedOntologyMetaDataResources docs: The OntologyMetaDataResources that were present in the response. type: required classification: RESOURCE |
ontologyMetaDataSearch | Search for OntologyMetaDataResources that meet criteria. | ontologyMetaDataSearchedResources docs: The OntologyMetaDataResources included in the search query. type: required classification: RESOURCE ontologyMetaDataSearchContext docs: Further context to the search query - such as DatasourceType. type: optional classification: METADATA | ontologyMetaDataSearchResults docs: All OntologyMetaDataResources that were returned to the user. type: required classification: RESOURCE |
ontologyMetaDataUpdate | The modification of OntologyMetaDataResources. | updatedOntologyMetaDataResources docs: All OntologyMetaDataResources updated in this event. type: required classification: RESOURCE | |
passThrough | A category where the set of auditable parameters is determined at runtime, typically by an external system | passThroughRequestParams type: required classification: PASS_THROUGH | passThroughResponseParams type: required classification: PASS_THROUGH |
requestAccess | The loading of a request. | accessedRequestIds docs: The requests that were accessed in this request. type: required classification: RESOURCE accessedRequestDescription docs: A description of the request access. type: optional classification: CONSTANT | |
requestApprove | Approving a request, or part of a request. A request may require multiple approvals before it can be performed. | approvedRequestIds docs: The requests that are being approved type: required classification: RESOURCE approveRequestUserId docs: The user that approved the request type: optional classification: UID | |
requestCancel | Canceling the request so that it will no longer be performed, such as closing a pull request. | canceledRequestIds docs: The requests that are being canceled type: required classification: RESOURCE | |
requestCreate | The creation of a request. Requests represent an action that has not yet been taken and may require approval, such as a pull request, access request, or checkpoint. | createdRequestAffectedResources docs: The resources that are directly affected by the request. For example, for an update request this would be the updated resource, and for a create request this could be the parent resource. type: required classification: RESOURCE createdRequestDescription docs: A description of the request creation. type: optional classification: CONSTANT | createdRequestIds docs: The requests that were created in this request type: required classification: RESOURCE |
requestDisapprove | Disapproving a request. | disapprovedRequestIds docs: The requests that are being disapproved. type: required classification: RESOURCE disapproveRequestUserId docs: The user that disapproved the request. type: optional classification: UID | |
requestExecute | Executing the action associated with a request, such as merging a pull request or applying an access request. | executedRequestIds docs: The requests that are being executed. type: required classification: RESOURCE | executeRequestAffectedResources docs: The resources that were affected by this request. This may not include all of the resources that were provided when creating the request. type: optional classification: RESOURCE |
requestSearch | Searching for requests. | requestSearchQuery docs: The search-query that this event is running. type: required classification: USER_INPUT | requestSearchResults docs: The search-results that are returned to the user in this event. type classification: RESOURCE |
requestUpdate | The update of an existing request. | updatedRequestIds docs: The requests that were updated in this request type: required classification: RESOURCE updatedRequestDescription docs: A description of the request update. type: optional classification: CONSTANT | |
restartInfra | Restarts some infrastructure like a node or a service. | restartedResources docs: All SystemResources that were restarted in this event. type: required classification: RESOURCE | |
reviewInfraAction | A user approves or denies an action within the infrastructure space, such as configuring a node, a service and more. | reviewInfraActionRequestId docs: The request-id of this review. type: required classification: METADATA reviewInfraActionUser docs: The user who reviewed this action. type: required classification: UID | reviewInfraActionWasApproved docs: Whether the review was approved. type: required classification: CONSTANT |
secretCreate | Create a secret string. | createdSecretType docs: The kind of secrets that were created type: required classification: METADATA | createdSecretIdentifiers docs: The identifiers of the secrets that were created. type: required classification: RESOURCE |
secretDeprecate | Mark a secret as deprecated. | deprecatedSecretIdentifier docs: The identifier of the secret that was deprecated. type: required classification: RESOURCE | |
secretLoad | Retrieve a secret from the backing store. | loadedSecretIdentifiers docs: The identifiers of the secrets that were loaded. type: required classification: RESOURCE | |
secretUse | Use a secret via a backend endpoint. | usedSecretOperation docs: The operation used for the secret. type: required classification: METADATA usedSecretIdentifiers docs: The identifiers of the secrets that were used. type: required classification: RESOURCE | |
tokenAccess | Accessing a previously generated token. | accessedTokens docs: A description of how these tokens were accessed, for auditor-context. type: required classification: TOKEN | |
tokenGeneration | Action that leads to generation of a new token. | generateTokensDescription docs: A description of how these tokens were generated, for auditor-context. type: optional classification: CONSTANT | generatedTokens docs: All tokens that were generated type: optional classification: TOKEN |
tokenRevoke | Action that leads to the deletion of tokens. | revokeTokensDescription docs: A description of how these tokens were generated, for auditor-context. type: optional classification: CONSTANT | revokedTokens docs: All tokens that were revoked. type: required classification: TOKEN |
upgradeInfra | Some infrastructure was upgraded, including downgrades. | upgradedResources docs: All SystemResources that were upgraded in this event. type: required classification: RESOURCE | |
userJustify | Event when a user specifies a purpose justification for taking an action. | userJustifyId docs: The user justifying the action. type: required classification: UID userJustification docs: The user's justification for taking the action. Multiple justifications can be provided. type: required classification: USER_INPUT | |
userLogin | Login events of users. | loginUserId type: optional classification: UID | |
userLogout | Logout events of users. | logoutUserId type: optional classification: UID |