diff --git a/CHANGES b/CHANGES
index 4029d05e3..f978cd437 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2598,4 +2598,5 @@
 * cloudflare: add config for default value of proxied
 * eventlog: keep 3 months
 * services: give static IPs to internal databases
+* eventlog: only prune login and logout events
 
diff --git a/src/eventlog.js b/src/eventlog.js
index 6bdcc7f64..889ae20b9 100644
--- a/src/eventlog.js
+++ b/src/eventlog.js
@@ -90,6 +90,7 @@ exports = module.exports = {
 
 const assert = require('assert'),
     database = require('./database.js'),
+    debug = require('debug')('box:eventlog'),
     mysql = require('mysql'),
     notifications = require('./notifications.js'),
     safe = require('safetydance'),
@@ -183,8 +184,25 @@ async function cleanup(options) {
     assert.strictEqual(typeof options, 'object');
 
     const creationTime = options.creationTime;
+    debug(`cleanup: pruning events. creationTime: ${creationTime.toString()}`);
 
-    const results = await database.query('SELECT * FROM eventlog WHERE creationTime <= ?', [ creationTime ]);
+    // only these actions are pruned
+    const actions = [
+        exports.ACTION_USER_LOGIN,
+        exports.ACTION_USER_LOGIN_GHOST,
+        exports.ACTION_USER_LOGOUT,
+    ];
+
+    let query = `SELECT ${EVENTLOG_FIELDS} FROM eventlog WHERE creationTime <= ? AND (`;
+    let data = [ creationTime ];
+    actions.forEach(function (action, i) {
+        query += ' action = ? ';
+        data.push(action);
+        if (i < actions.length-1) query += ' OR ';
+    });
+    query += ' ) ';
+
+    const results = await database.query(query, data);
 
     for (const result of results) {
         await database.query('DELETE FROM notifications WHERE eventId=?', [ result.id ]); // remove notifications that reference the events as well