log files have a different original purpose. But yes, if you repurpose your log files to track individual users granularly, that processing would be illegal without gathering informed consent first.
Unless it's necessary. The legitimate interests basis of the GDPR allows you to make a balanced decision of your business requirements against user privacy expectations.
yes, and you have to line out how the processing is necessary for providing the service, there has to be no less-intrusive method of achieving the desired result and be ready to prove it.
hint, user-level analytics rarely is. And in this specific example, repurposing logs kept for one purpose(ex, security/auditing) to user analytics is definitely not something you can just do
Unless it's necessary. The legitimate interests basis of the GDPR allows you to make a balanced decision of your business requirements against user privacy expectations.