I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:

Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.

However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.

[0] https://sheep.horse/2018/6/the_eu_general_data_protection_re...

>It could be argued

I, for one, would not like to argue this in court. I heard many lawyers advising against storing IP addresses.

And yes, long-term analytics are a no-no. So good luck comparing your website performance year to year or even detecting seasonality.

That would be interesting. They all log IPs by default. Here's an example from nginx:

192.168.1.122 - - [10/Feb/2022:11:32:35 +0000] "GET /audio/pop.wav HTTP/1.1" 206 28366 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-"