Disable duplicate JSON access logger in the default configuration#668
Open
vharseko wants to merge 1 commit into
Open
Disable duplicate JSON access logger in the default configuration#668vharseko wants to merge 1 commit into
vharseko wants to merge 1 commit into
Conversation
New installations shipped with two enabled access loggers: the text File-Based Access Logger and the common-audit Json File-Based Access Logger, so every operation was logged twice. Under concurrent load the JSON handler's bounded write queue (JsonFileWriter.put) is the largest blocking point on the operation hot path: disabling it alone improves bind throughput by ~14% in the PR OpenIdentityPlatform#660 benchmark scenario. Keep the text access logger enabled and disable the JSON logger by default; it can still be enabled with dsconfig. Existing installations are unaffected. Document the JSON access logger in the admin guide (how to enable it, log file name, and the cost of running several access loggers) and add a note to the tuning chapter.
maximthomas
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New installations ship with two enabled access loggers: the text
File-Based Access Loggerand the common-auditJson File-Based Access Logger(logs/ldap-access.audit.json), so every operation is logged twice.Profiling after #660 shows the JSON handler's bounded write queue is the
single largest blocking point on the operation hot path under concurrent
load. This PR disables the JSON access logger by default for new
installations (it remains available via
dsconfig) and documents it in theadmin guide. Existing installations are unaffected.
Problem
With the
AuthenticatedUserslock removed (#660), JFRjdk.ThreadParkprofiling of a saturated BIND workload shows worker threads spending most of
their blocked time waiting to enqueue log records:
JsonFileWriter.put(JSON access logger)AsynchronousTextWriter.writeRecord(text access logger)com.sleepycat.je.latch.LatchImpl.acquireExclusive(JE, for scale)Benchmark
Environment: packaged server built from this tree,
jebackend, 5,000 users(
uid=user.N,{SSHA}passwords) viasetup --sampleData 5000, JDK 11,8-core host (server and load generator co-located), 2 GB heap.
Load:
authratefrom the LDAP toolkit — 200 persistent connections, eachre-binding as a random distinct user; 30 s warm-up, 90 s measured,
steady-state = mean of the last 30 s:
Profiling:
jcmd <pid> JFR.start settings=profile(JavaMonitorEnter /ThreadPark / ExecutionSample) + periodic
jstacksampling.Errors were 0 in all runs.
Change
opendj-server-legacy/resource/config/config.ldif:ds-cfg-enabled: falseforcn=Json File-Based Access Logger, with a comment explainingwhy and how to enable it.
chap-monitoring.adoc): the JSON handler is now listed amongcommon audit handlers, and a new procedure "To Enable JSON LDAP Access
Logs" covers enabling it with
dsconfig(and optionally disabling thetext logger to avoid double logging).
chap-tuning.adoc): note in Logging Settings that eachenabled access logger multiplies per-operation logging cost.
Testing
list-log-publishersshows theJSON logger disabled and the text logger enabled;
logs/accessiswritten,
logs/ldap-access.audit.jsonis no longer created.dsconfig set-log-publisher-prop --publisher-name "Json File-Based Access Logger" --set enabled:truere-enables it as documented.