There are no way to anonymise IP addresses in AWstats? If that true, I'll have a look into their code and provide a patch because such feature should be in AWStats core.
I dont know, i haven't checked this. Most of our customers do not use AWStats, they use Piwik, Google Analytics, ... I have not found any information in awstats conf files to disable ip adresses or anonymize IPs. So this was the way to handle it in our case - reset logs, anonymize at webserver logs.
yep, if the IP addresses are anonymized you can no longer block attacks ...
what would be the maximum in days for a log rotation according to the GDPR?
7 days
Clients that make use of the control panel are registered clients. As such, you can document the logging function of the control panel. This should be part of the client pre-agreement.
The other logs such as authentication failure for unauthenticated users are part of the security layer. As such, you're free to store the action and IP address. Those information are used by the i-MSCP bruteforce attack plugin to mitigate dictionnary attacks. The plugin is de facto, part of your security layer. The GDPR (EU-DSGVO) clearly state that the controlller (you) must take all possible of the art measures to protect personal data and to ensure that personal data does not get stolen from servers. The security layer is one of such a measure. For those last logs, I'll soon make the control panel compliant by restricting the data retention.
Please, don't try to apply the GDPR stricto sensu. You cannot and you shouldn't. The GDPR is subject to interpretation. Basically, storing an IP address for security reasons is part of Lawfulness of processing (GDPR art.6).
Without IP there would be no internet. Unfortunately exact this address was qualified as a personal date.
Today we are realizing a lot of threads to websites, hacks from anywhere and with a great portion of professionality. And exact this fact is the reason to log IPs.
Within the GDPR there is the instrument of the "legitimate interest". In Germany there is so far an agreement on 14 days ( @Nuxwin sources for 7 days? Maybe the discussion in France?).
Regard: a great publishing company (books on security and law) mentioned in their own declaration of data protection 90 days! They should know! Should be ok, too. Just imagine: if there is a consent on 7 days any attacker would only enlarge his attacking frequency. Just don't forget to mention this logging time exactly.
After all i would support Nuxwins kind of view. Don't be too strict on the backend. First do your homework on the frontend and - that's really new - document your data processing and data access.
Additionaly to @fulltilt:
Immer, wenn ein "Dritter" ins Spiel kommt, sollte ein ADV-Vertrag vorliegen.
Deinerseits, wenn du Dienstleistungen anderer in Anspruch nimmst.
Von deinen Kunden, wenn du für sie Daten speicherst oder bearbeitest.
Es wird zunehmend einfacher, weil auch das Ankreuzen eines Online Formulars ausreicht. Es ist nicht mehr Briefpost oder E-Mail-Verkehr erforderlich.
7 days? Maybe the discussion in France?)
Not really. If fact, logs retention time doesn't really matter as long as you can prove that this is strickly required for securing the server, and by that, I mean the protection of your clients personal data as targeted by the GDPR. When you say 14 days in Germany, that is just a convenience agreement but in fact, 90 days shouldn't be a problem too as long as you can prove that this is required for the system integrity. In that regard and if you would be subject to legal proceedings, a court would research the common practice for such application domain and would take a decision on that basis and this could lead to new case law. That why in Germany you have that 14 days agreement (common usage for logs retention).
Of course, clients personal data cannot longer be used for tracking, statistical purpose without a pre-agreement. This necessarely mean that tools such as AWStat cannot longer be used AS THIS. You cannot get a pre-agreement of visitors, meaning that you're not allowed to process their IP addresses for such a purpose.... That a bit annoying...
14 days would be better ... and if the physical location of a server is in germany and the company is registered e.g. in france?
it's becoming increasingly unmanageable ... haha 
if I resell vps & dedicated servers I guess the customers are responsible for that?