And web server logs are fine for troubleshooting and detecting abuse, you don't even need to ask for consent!

Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.

I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:

Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.

However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.

[0] https://sheep.horse/2018/6/the_eu_general_data_protection_re...

>It could be argued

I, for one, would not like to argue this in court. I heard many lawyers advising against storing IP addresses.

And yes, long-term analytics are a no-no. So good luck comparing your website performance year to year or even detecting seasonality.

That would be interesting. They all log IPs by default. Here's an example from nginx:

192.168.1.122 - - [10/Feb/2022:11:32:35 +0000] "GET /audio/pop.wav HTTP/1.1" 206 28366 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-"