It is that hard. The level of certainty you need when "less serious" fines have 8 digits is hard even if you're just running HTTP "Hello World" on port 80 on the internet. The risk of a mistake in your configuration logging PII that you misplace and forget about is too high.
Note that stuff like basic request logging is likely to¹ fall under “legitimate interest”: you can keep that data, so long as you only use it for diagnostics, debugging and basic analytics (e.g., no selling your server logs to Facebook). You aren't going to get in trouble for your basic Hello World.
And even if it didn't, the only PII that that would gather is IP addresses (and user agents, but I don't know that those count). It's relatively easy to hit your service from a local IP address with a custom User Agent, then check for that IP address and user agent in all the files on the machine. (Log files are pretty much all plain-text, but you could look for the two obvious byte encodings of the IP address too, if you like. Maybe also check the contents of gz files, but that's starting to get silly.)
¹: Read: I'm basically certain, but I'm not a lawyer and my understanding of the “legitimate interest” basis is not as good as my understanding of the rest of GDPR.
