My experience has been exactly the opposite. All network devices I have worked with: router, switches, firewalls, load balancers instantly send the message when traffic crosses the device. You can watch it real time in our syslog server and troubleshoot issues as they happen.
In our case with CPPM, I wanted to use syslog to send user ID and IP address info to our StealthWatch system to account for user ID in NetFlow records. StealthWatch has a syslog parser.
In addition, I need real time userID & IP info fed into our Palo Alto firewalls for user based authentication rule sets.
If CPPM holds onto this info for 90 seconds, it will cause issues for sure.
Thanks for your feedback.