The SURFids system consists of 3 major parts:
The logging server is the part of the system that will handle the web interface, ie the visual representation of the captured data. It's also usually the place where the database is located, but you can reserve a different physical machine for the database to spread out the load on the machine.
The tunnel server is the part of the system that will handle the connections to all the sensors. It's basically the central hub of the whole system. This is the system that will either handle the detection of attacks and traffic or will distribute the traffic to other systems that will do this.
The sensors are the distributed part of the system. A sensor is a debian/debian-live OS that has the surfids-sensor package installed. It's sole function is to setup an OpenVPN tunnel to the tunnel server and redirect the traffic. The idea is to put a sensor in each network you want to monitor.
For a more detailed overview check out the Global page.