[octavn]

>Saving ip adresses in log files can be fully complaint IF you only use them for legal reasons (sue an attacker, ...), have severe access restrictions on the files, delete them as fast as possible and get consent from the user prior to saving the logs.

You do not need consent for saving the IP, user agent and URL (including GET values) in Apache logs because, as someone said above, you have a "legitimate interest to combat fraud and maintain information security".

Legitimate interest and consent are only 2 of the 6 legal bases under which you can collect and store (process) personal data. Art. 6 contains all 6 https://gdpr-info.eu/art-6-gdpr/ .