I have limited disk space on /var/log path, so I try to manage phantom log rotation ( follow this link: Configure the logging levels for Splunk SOAR (On-premises) daemons - Splunk Documentation)
but I found a large file named "app_interface.log" that was not included in phantom_logrotate.conf
Does anyone have any suggestions on what kind of records are collected in this file? and What is the best practice to rotate this file?
There is a lot of context here for some app operations like widget generation but its not terribly useful beyond the scope of debugging an app issue. I would suggest adding it to the logrotate conf and setting it to roll daily. I wouldn't personally keep more than 7 days. Really if you are debugging an app, historical records are much less useful that active debugging.