The problem though is that if you are importing this data to Graylog or any SIEM for that matter, there is some critical information that is missing, especially when doing analysis on multiple machines, as well as some formatting issues. If you are just doing one off analysis on specific machines, the data really isn't missing as this data is normally documented in the file name or elsewhere and providing this data in the output file could be quite useless outside of a SIEM. But since we are sending this data to a SIEM there are three issues or better yet "features" that are missing from the created JSON file which are:

Host name or IP address. Plugin used to create JSON file. Due to how the JSON file is created, if the file is shipped directly to Graylog, Graylog will store the data as a single document, which isn't an issue as extractors or a pipeline can be created to extract that information, but why do additional work if you do not have to?

I couldn't find a utility that solved all three of these issues and felt that this was out of the scope of extending the unified-output module so I ended up writing a standalone python utility that solves this problem. The name of it is vol2log and it essentially adds the plugin module and the host name or IP address of the memory dump you ran Volatility against, which you specify from the command line, and will post this data to Graylog in a way that does not require additional processing for the extraction of the fields.

Here is a partial example of a posted JSON file before passing the file through vol2log without any additional pipelines or extractors populating the fields: