Architecture Overview

Download this manual as a PDF file

This section describes the architecture of SL1 systems, covering most common configurations of SL1 appliances. This section can help System Administrators and staff who are responsible for planning the architecture and configuration of SL1 systems.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all the menu options, click the Advanced menu icon ().

This section includes the following topics:

SL1 Configurations

SL1 includes one or more appliances or nodes (part of a cluster) that function together to provide the SL1 platform and application. There are three primary configurations:

  • All-In-One. In this configuration, a single appliance provides all the functions of SL1. The capacity of an All-In-One instance cannot be increased by adding additional appliances. This configuration is best for smaller deployments.
  • Distributed. In this configuration, the functions of SL1 are divided between multiple appliances. A Distributed instance of SL1 can be as small as two appliances or include multiple instances of each appliance. This configuration is best for production environments that monitor lots of devices or that monitor a large volume of data for each device.
  • Extended. An extension of a Distributed instance. The Extended configuration adds both a Compute Cluster and a Storage Cluster. The Compute Cluster includes multiple Compute Nodes. The Storage Cluster includes multiple Storage Nodes. The Extended configuration also adds a Management Node to install and update the Compute Cluster and Storage Cluster, and one or more Load Balancers to manage the workload to the Compute Cluster. This configuration provides scale and can take advantage of the SL1 Agent to collect detailed data about devices and applications.

Resiliency and redundancy can also be accomplished by adding additional appliances to these configurations.

SL1 Appliances and Nodes

An instance of SL1 is comprised of one or more of the following appliances or nodes:

  • All-In-One Appliance. A single appliance that provides all the functions of SL1. The capacity of an All-In-One instance cannot be increased by adding additional appliances.
  • Database Server. The Database Server contains a relational database used for all policy and configuration data. This database also stores performance data and log data.
  • Data Collector. Data Collectors run multiple services, primarily for "agent-less" collection. Each Data Collector is responsible for collecting a specific set of information from a specific set of devices. Data Collectors can also receive instructions for asynchronous tasks including discovery, user-driven device tools, and automation actions for incident enrichment and remediation.
  • Message Collector. The Message Collector collects syslog and trap messages from devices. The Message Collector also communicates with the earliest version of the SL1 Agent and sends data collected by that agent to the Database Server.
  • Administration Portal. The Administration Portal provides dedicated access to the SL1 user interface and API.
  • Computer Cluster. A cluster of Compute Nodes. Each Compute Node includes Docker, Kubernetes and a range of SL1 services for features like data pipelines, Publisher, and expanded features in the SL1 Agent.
  • Load Balancer. Provides access to the services running on the Compute Cluster.
  • Storage Cluster. A cluster of Storage Nodes. Each Storage Node contains a NoSQL database that stores configuration data and storage data from some SL1 services.
  • Management Node. The Management Node allows administrators to install and update packages on the Compute Cluster, Storage Cluster, and the Load Balancer and also update services on the Computer Cluster.
  • Platform Node. The Platform Node allows administrators to install and configure the Compute Cluster, Storage Clutser, Management Node, and Load Balancer. Administrators install generic Platform Nodes and transform the platform nodes into Compute Node, Storage Nodes, a Management Node, and one or more Load Balancers.
  • PowerFlow Server. The PowerFlow Serverenables bi-directional communication between the ScienceLogic data platform and external data platforms to promote a unified management ecosystem. The PowerFlow allows users to translate and share data between SL1 and other platforms without the need for programming knowledge.

SL1 Appliance Functions

In a Distributed system, there are four general functions that an SL1 appliance can perform: user interface, Database Server, Data Collector, and Message Collectors. In large SL1 systems, dedicated appliances perform each function. In smaller systems, some appliances perform multiple functions. In the All-In-One Appliance system, a single SL1 appliance performs all four functions.

User Interface

Administrators and users access the user interface through a web browser. In the user interface, you can view collected data and reports, define organizations and user accounts, define policies, view events, and create and view tickets, among other tasks. The appliance that provides the user interface also generates all scheduled reports and provides access to the ScienceLogic API. The following appliances provide the user interface:

  • All-In-One Appliance. An All-In-One Appliance performs all functions, including providing the user interface.
  • Database Server. A Database Server can provide the user interface in addition to its database function.
  • Administration Portal. A dedicated Administration Portal appliance can provide the user interface.

NOTE: The Administration Portal communicates only with the Database Server and no other SL1 appliance. All connections between the Administration Portal and the Database Server are encrypted in both directions.

Database Server

The appliance that provides the database function is responsible for:

  • Storing all configuration data and policy data.
  • Storing performance data collected from managed devices.
  • In a distributed system, pushing data to and retrieving data from the appliances responsible for collecting data and collecting messages.
  • Processing and normalizing collected data.
  • Allocating tasks to the other appliances in the SL1 System.
  • Executing some automation actions in response to events.
  • Sending all Email generated by the system.
  • Receiving all inbound Email for events, ticketing, and round-trip Email monitoring.

The following appliances can perform these database functions:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Database Server. A dedicated Database Server provides all database functions.

Data Collection

The SL1 appliances that retrieves data from monitored devices . In a distributed system, appliances that perform the data collection function also perform some pre-processing of collected data and execute automation actions.

The following appliances can perform the collection function:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Data Collector. One or more Data Collectors care configured in collector groups for resilience. A collector group can be configured such that if an individual collector fails, other members of the group will pick up and share the load (N+1). A Data Collector can also perform the message collection function.

NOTE: The SL1 Agent can also be used to collect data from devices on which it can be installed. See the System Requirements page of the Support Site for a complete list of operating systems and versions supported by the agent. You can collect data from devices using only Data Collectors, using only the SL1 Agent, or using a combination of both.

Message Collection

The SL1 appliances that receive and process inbound, asynchronous syslog and trap messages from monitored devices.

The following appliances can perform the message collection function:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Message Collector. A dedicated Message Collector receives and processes inbound, asynchronous syslog and trap messages from monitored devices.
  • In distributed systems that use the SL1 agent, the Message Collector passes agent data to the Database server. On these distributed systems, the Message Collector must be a stand-alone appliance, not a combination Data Collector/Message Collector.
  • Data Collector. A Data Collector can also perform the message collection function in addition to the data collection function.

SL1 Extended Architecture includes additional types of SL1 Appliances. The following SL1 features require the SL1 Extended Architecture:

  • Expanded Agent Capabilities. You can configure the SL1 Agent to communicate with SL1 via a dedicated Message Collector. However, this configuration limits the capabilities of the SL1 Agent. If you configure the SL1 Agent to communicate with SL1 via a Compute Cluster, you expand the capabilities of the SL1 Agent to include features like extensible collection and application monitoring.
  • Data Pipelines. Data pipelines transport and transform data. Data transformations include enrichment with metadata, data rollup, and pattern-matching for alerting and automation. The Data Pipelines provide an alternative to the existing methods of data transport (data pull, config push, streamer, and communication via encrypted SQL) in SL1. Data pipelines introduce message queues and communicate using encrypted web services.
  • Publisher. Publisher enables the egress of data from SL1. Publisher can provide data for long-term storage or provide input to other applications the perform analysis or reporting.
  • Scale-out storage of performance data . Extended Architecture includes a non-SQL database (Scylla) for scalable storage of performance data.
  • Anomaly Detection and future AI/ML developments. Anomaly detection is a technique that uses machine learning to identify unusual patterns that do not conform to expected behavior. SL1 does this by collecting data for a particular metric over a period of time, learning the patterns of that particular device metric, and then choosing the best possible algorithm to analyze that data. Anomalies are detected when the actual collected data value falls outside the boundaries of the expected value range.

SL1 Extended Architecture includes the following additional SL1 Appliances:

Compute

Compute nodes are the SL1 appliances that transport, process, and consume the data from Data Collectors and the SL1 Agent. SL1 uses Docker and Kubernetes to deploy and manage these services. T

Load Balancer

The SL1 appliance that brokers communication with services running on the Compute Cluster. Services running on the Compute Cluster are managed by Kubernetes. Therefore, a single service could be running on one Compute node in the Compute Cluster; to provide scale, multiple instances of a single service could be running on one, many, or all nodes in the Compute Cluster. To provide scale and resiliency, you can include multiple Load Balancers in your configuration.

Storage

SL1 Extended includes a Storage Cluster that includes multiple Storage Nodes and a Storage Manager. These SL1 appliances provide a NoSQL alternative to the SL1 relational database. The Storage Cluster can store performance and log data collected by the Data Collectors and the SL1 Agent.

Management

The Management Node allows administrators to install, configure, and update packages on the Compute Nodes cluster, Storage Nodes , and the Load Balancer. The Management Node also allows administrators to deploy and update services running on the Computer Cluster.

The SL1 Agent

The SL1 agent is a program that you can install on a device monitored by SL1. The SL1 agent collects data from the device and pushes that data back to SL1.

Similar to a Data Collector or Message Collector, the SL1 Agent collects data about infrastructure and applications.

The agent can be configured to communicate with either the Message Collector or the Compute Cluster.

For more information about configurations with the SL1 Agent, see the chapter on the SL1 Agent.

For more information about monitoring devices with the agent, see the Monitoring with the SL1 Agent section.