fix

internal/ingest/engine.go

@@ -129,12 +129,18 @@ func (e *Engine) HandleSyslog(addr *net.UDPAddr, payload []byte) {
 	if matched == nil {
 		return
 	}
+	// 与 alert/doc/17-resource-correlation 约定一致（字段映射）
 	labels := map[string]string{
-		"source":      "syslog",
-		"device":      device,
-		"rule_id":     strconv.FormatUint(uint64(matched.ID), 10),
-		"rule_name":   matched.Name,
-		"remote_addr": addr.String(),
+		"source_type":    "log",
+		"source_subtype": "syslog",
+		"resource_type":  "log_rule",
+		"resource_id":    strconv.FormatUint(uint64(matched.ID), 10),
+		"rule_name":      matched.Name,
+		"device":         device,
+		"remote_addr":    addr.String(),
+		"ip":             addr.IP.String(),
+		"instance":       firstNonEmpty(device, addr.String()),
+		"job":            "logs-syslog",
 	}
 	rawObj := map[string]interface{}{
 		"source":       "syslog",
@@ -302,13 +308,23 @@ func (e *Engine) HandleTrap(addr *net.UDPAddr, pkt *gosnmp.SnmpPacket) {
 		desc = readable + "\n恢复建议: " + dict.RecoveryMessage
 	}
 	labels := map[string]string{
-		"source":      "snmp_trap",
-		"trap_oid":    trapOID,
-		"remote_addr": addr.String(),
+		"source_type":    "log",
+		"source_subtype": "snmp_trap",
+		"trap_oid":       trapOID,
+		"remote_addr":    addr.String(),
+		"ip":             addr.IP.String(),
+		"instance":       addr.IP.String(),
+		"job":            "logs-trap",
 	}
 	if matched.ID != 0 {
-		labels["rule_id"] = strconv.FormatUint(uint64(matched.ID), 10)
+		labels["resource_type"] = "trap_rule"
+		labels["resource_id"] = strconv.FormatUint(uint64(matched.ID), 10)
 		labels["rule_name"] = matched.Name
+	} else {
+		labels["resource_type"] = "trap_dictionary"
+		if trapOID != "" {
+			labels["resource_id"] = trapOID
+		}
 	}
 	resolved := map[string]interface{}{}
 	if dict != nil {