diff --git a/doc/log-mgmt-frontend-design.md b/doc/日志监控.md similarity index 100% rename from doc/log-mgmt-frontend-design.md rename to doc/日志监控.md diff --git a/internal/ingest/engine.go b/internal/ingest/engine.go index fc82bc1..500ec04 100644 --- a/internal/ingest/engine.go +++ b/internal/ingest/engine.go @@ -129,12 +129,18 @@ func (e *Engine) HandleSyslog(addr *net.UDPAddr, payload []byte) { if matched == nil { return } + // 与 alert/doc/17-resource-correlation 约定一致(字段映射) labels := map[string]string{ - "source": "syslog", - "device": device, - "rule_id": strconv.FormatUint(uint64(matched.ID), 10), - "rule_name": matched.Name, - "remote_addr": addr.String(), + "source_type": "log", + "source_subtype": "syslog", + "resource_type": "log_rule", + "resource_id": strconv.FormatUint(uint64(matched.ID), 10), + "rule_name": matched.Name, + "device": device, + "remote_addr": addr.String(), + "ip": addr.IP.String(), + "instance": firstNonEmpty(device, addr.String()), + "job": "logs-syslog", } rawObj := map[string]interface{}{ "source": "syslog", @@ -302,13 +308,23 @@ func (e *Engine) HandleTrap(addr *net.UDPAddr, pkt *gosnmp.SnmpPacket) { desc = readable + "\n恢复建议: " + dict.RecoveryMessage } labels := map[string]string{ - "source": "snmp_trap", - "trap_oid": trapOID, - "remote_addr": addr.String(), + "source_type": "log", + "source_subtype": "snmp_trap", + "trap_oid": trapOID, + "remote_addr": addr.String(), + "ip": addr.IP.String(), + "instance": addr.IP.String(), + "job": "logs-trap", } if matched.ID != 0 { - labels["rule_id"] = strconv.FormatUint(uint64(matched.ID), 10) + labels["resource_type"] = "trap_rule" + labels["resource_id"] = strconv.FormatUint(uint64(matched.ID), 10) labels["rule_name"] = matched.Name + } else { + labels["resource_type"] = "trap_dictionary" + if trapOID != "" { + labels["resource_id"] = trapOID + } } resolved := map[string]interface{}{} if dict != nil {