Risk logs from a client are taking up to 15 minutes to get sent to the syslog server by the Symantec Endpoint Protection Manager (SEPM).
Risk logs will be sent from the client to the SEPM within approximately 1 minute of the event occurring, if the "Let clients upload critical events immediately" option is selected in the group communication settings.
All other non-critical events are uploaded at the client's normal heartbeat interval.
After the upload, logs are then processed and added to the SEPM database, typically within 2 minutes.
Client logs are then delayed by the SEPM for up to 15 minutes before being forwarded to the syslog server.
This functionality is by design. It ensures that no logs are missed or incomplete when being sent to the syslog server.