Client-side signals can complement server logs, especially for UI-driven abuse.
Track high-value actions: logins, password resets, checkout flows, and admin navigation.
Prefer privacy-preserving IDs. Avoid collecting sensitive content by default.
Use sampling carefully — attacks often hide in the long tail.