I'm no expert. But typically, when installing web servers, I don't enable logging. I'm more familiar with the issue of logging by VPN services. And I've been assured, by someone who runs one, that logging isn't necessary. Everything can be done in real time, with any "logs" retained briefly in RAM.
I'm an expert. The correct answer is to not log any PII data. Logging obvious PII because it might be useful in some hypothetical future sounds like plain incompetence. If you really need to log PII, log it separately and set clear policies about how this data is stored, how it's replicated, who can access it. If you need to log some PII IDs in common logs, use some fuzzy hashing: good enough for logs, not good enough to restore the original PII.
PII that you don't need can become like radioactive waste. If it gets subpoenaed, and it comes out that you retained and produced it, your reputation may be hosed. But if there's nothing to produce, no problem.
That's actually not quite correct. If you're required by law to retain that PII, you'll be hosed if you can't produce it. But then, maybe you should be doing business in a different jurisdiction.
I'm thinking of Private Internet Access. To my knowledge, logs have been subpoenaed in two US criminal cases. And they just said that they didn't retain logs. But then, VPN services aren't required to retain logs in the US.
