Introduction to Installing SL1

Download this manual as a PDF file

This manual describes how to install and configure SL1.

What is SL1?

In a Distributed system, there are four general functions that an SL1 appliance can perform: user interface, Database Server, Data Collector, and Message Collectors. In large SL1 systems, dedicated nodes or appliances perform each function. In smaller systems, some nodes or appliances perform multiple functions. In the All-In-One Appliance system, a single SL1 node or appliance performs all four functions.

User Interface

Administrators and users access the user interface through a web browser. In the user interface, you can view collected data and reports, define organizations and user accounts, define policies, view events, and create and view tickets, among other tasks. The node or appliance that provides the user interface also generates all scheduled reports and provides access to the ScienceLogic API. The following nodes or appliances provide the user interface:

  • All-In-One Appliance. An All-In-One Appliance performs all functions, including providing the user interface.
  • Database Server. A Database Server can provide the user interface in addition to its database function.
  • Administration Portal. A dedicated Administration Portal node or appliance can provide the user interface.

NOTE: The Administration Portal communicates only with the Database Server and no other SL1 appliance. All connections between the Administration Portal and the Database Server are encrypted in both directions.

Database Server

The node or appliance that provides the database function is responsible for:

  • Storing all configuration data and policy data.
  • Storing performance data collected from managed devices.
  • In a distributed system, pushing data to and retrieving data from the nodes or appliances responsible for collecting data and collecting messages.
  • Processing and normalizing collected data.
  • Allocating tasks to the other nodes or appliances in the SL1 System.
  • Executing some automation actions in response to events.
  • Sending all email generated by the system.
  • Receiving all inbound email for events, ticketing, and round-trip email monitoring.

The following appliances can perform these database functions:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Database Server. A dedicated Database Server provides all database functions.

Data Collection

Data Collectors are the SL1 nodes or appliances that retrieve data from monitored devices. In a distributed system, nodes or appliances that perform the data collection function also perform some pre-processing of collected data and execute automation actions.

The following appliances can perform the collection function:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Data Collector. One or more Data Collectors are configured in collector groups for resilience. A collector group can be configured such that if an individual collector fails, other members of the group will pick up and share the load (N+1). A Data Collector can also perform the message collection function.

NOTE: The SL1 Agent can also be used to collect data from devices on which it can be installed. See the System Requirements page of the Support Site for a complete list of operating systems and versions supported by the agent. You can collect data from devices using only Data Collectors, using only the SL1 Agent, or using a combination of both.

Message Collection

The SL1 appliances that receive and process inbound, asynchronous syslog and trap messages from monitored devices.

The following nodes or appliances can perform the message collection function:

  • All-In-One Appliance. An All-In-One Appliance performs all functions.
  • Message Collector. A dedicated Message Collector receives and processes inbound, asynchronous syslog and trap messages from monitored devices.
  • In distributed systems that use the SL1 agent, the Message Collector passes agent data to the Database server. On these distributed systems, the Message Collector must be a stand-alone node or appliance, not a combination Data Collector/Message Collector.
  • Data Collector. A Data Collector can also perform the message collection function in addition to the data collection function.

What is SL1 Extended?

SL1 Extended Architecture includes additional types of SL1 nodes or appliances. The following SL1 features require the SL1 Extended Architecture:

  • Expanded Agent Capabilities. You can configure the SL1 Agent to communicate with SL1 via a dedicated Message Collector. However, this configuration limits the capabilities of the SL1 Agent. If you configure the SL1 Agent to communicate with SL1 via a Compute Cluster, you expand the capabilities of the SL1 Agent to include features like extensible collection and application monitoring.
  • Data Pipelines. Data pipelines transport and transform data. Data transformations include enrichment with metadata, data rollup, and pattern-matching for alerting and automation. The Data Pipelines provide an alternative to the existing methods of data transport (data pull, config push, streamer, and communication via encrypted SQL) in SL1. Data pipelines introduce message queues and communicate using encrypted web services.
  • Publisher. Publisher enables the egress of data from SL1. Publisher can provide data for long-term storage or provide input to other applications the perform analysis or reporting.
  • Scale-out storage of performance data . Extended Architecture includes a non-SQL database (Scylla) for scalable storage of performance data.
  • Anomaly Detection and future AI/ML developments. Anomaly detection is a technique that uses machine learning to identify unusual patterns that do not conform to expected behavior. SL1 does this by collecting data for a particular metric over a period of time, learning the patterns of that particular device metric, and then choosing the best possible algorithm to analyze that data. Anomalies are detected when the actual collected data value falls outside the boundaries of the expected value range.

SL1 Extended Architecture includes the following additional SL1 nodes or appliances:


Compute nodes are the SL1 appliances that transport, process, and consume the data from Data Collectors and the SL1 Agent. SL1 uses Docker and Kubernetes to deploy and manage these services. T

Load Balancer

A load balance is the SL1 node or appliance that brokers communication with services running on the Compute Cluster. Services running on the Compute Cluster are managed by Kubernetes. Therefore, a single service could be running on one Compute node in the Compute Cluster; to provide scale, multiple instances of a single service could be running on one, many, or all nodes in the Compute Cluster. To provide scale and resiliency, you can include multiple Load Balancers in your configuration.


SL1 Extended includes a Storage Cluster that includes multiple Storage Nodes and a Storage Manager. These SL1 nodes or appliances provide a NoSQL alternative to the SL1 relational database. The Storage Cluster can store performance and log data collected by the Data Collectors and the SL1 Agent.


The Management Node allows administrators to install, configure, and update packages on the Compute Nodes cluster, Storage Nodes , and the Load Balancer. The Management Node also allows administrators to deploy and update services running on the Computer Cluster.

The SL1 Agent

The SL1 agent is a program that you can install on a device monitored by SL1. There is a Windows agent and a Linux agent. The agent collects data from the device and pushes that data back to SL1.

Similar to a Data Collector or Message Collector, the agent collects data about infrastructure and applications.

You can configure an agent to communicate with either the Message Collector or the Compute Cluster.

Third-Party Software

ScienceLogic does not support users installing third-party software on SL1 systems or users making unauthorized changes to the configuration of SL1. Doing so voids any warranties, express or implied.