$ cat file.log 
Mon, 22 Aug 2016 13:15:39 +0200|178.57.66.225|fxsciaqulmlk| - |user logged in| -
Mon, 22 Aug 2016 13:15:39 +0200|178.57.66.225|fxsciaqulmlk| - |user changed password| -
Mon, 22 Aug 2016 13:15:39 +0200|178.57.66.225|fxsciaqulmlk| - |user logged off| -
Mon, 22 Aug 2016 13:15:42 +0200|178.57.66.225|faaaaaa11111| - |user logged in| -
Mon, 22 Aug 2016 13:15:49 +0200|178.57.66.215|terdsfsdfsdf| - |user logged in| -
Mon, 22 Aug 2016 13:15:49 +0200|178.57.66.215|terdsfsdfsdf| - |user changed password| -
Mon, 22 Aug 2016 13:15:49 +0200|178.57.66.215|terdsfsdfsdf| - |user logged off| -
Mon, 22 Aug 2016 13:15:59 +0200|178.57.66.205|erdsfsdfsdf| - |user logged in| -
Mon, 22 Aug 2016 13:15:59 +0200|178.57.66.205|erdsfsdfsdf| - |user logged in| -
Mon, 22 Aug 2016 13:15:59 +0200|178.57.66.205|erdsfsdfsdf| - |user changed password| -
Mon, 22 Aug 2016 13:15:59 +0200|178.57.66.205|erdsfsdfsdf| - |user logged off| -
Mon, 22 Aug 2016 13:17:50 +0200|178.57.66.205|abcbbabab| - |user logged in| -
Mon, 22 Aug 2016 13:17:50 +0200|178.57.66.205|abcbbabab| - |user changed password| -
Mon, 22 Aug 2016 13:17:50 +0200|178.57.66.205|abcbbabab| - |user changed profile| -
Mon, 22 Aug 2016 13:17:50 +0200|178.57.66.205|abcbbabab| - |user logged off| -
Mon, 22 Aug 2016 13:19:19 +0200|178.56.66.225|fxsciulmla| - |user logged in| -
Mon, 22 Aug 2016 13:19:19 +0200|178.56.66.225|fxsciulmla| - |user changed password| -
Mon, 22 Aug 2016 13:19:19 +0200|178.56.66.225|fxsciulmla| - |user logged off| -
Mon, 22 Aug 2016 13:20:42 +0200|178.57.67.225|faaaa0a1111| - |user logged in| -
$ cat parser 
#!/bin/bash
fname=$1
rnum=1
while read line
do
    if [[ $line =~ "user logged in" ]]; then
        user=`head -n $rnum $fname | tail -n1 | awk -F'|' '{print $3}'`
        tstamp=`head -n $rnum $fname | tail -n1 | awk -F'|' '{print $1}'`
            nextline=`head -n $[$rnum+1] $fname | tail -n1`
            nextline2=`head -n $[$rnum+2] $fname | tail -n1`
        if [[ $nextline =~ $user && $nextline =~ "user changed password" && $nextline =~ "$tstamp" && $nextline2 =~ $user && $nextline2 =~ "user logged off" && $nextline2 =~ "$tstamp" ]]; then
            echo $user >> tmpuserlist 
        fi
    fi
    ((rnum++))
done <$fname
cat tmpuserlist | sort | uniq
rm -f tmpuserlist
./parser file.log 
erdsfsdfsdf
fxsciaqulmlk
fxsciulmla
terdsfsdfsdf
$