You have created a journal rule which you have applied to a distribution/security group. Every email sent through this distribution/security group. However when you add a user to this distribution group the email they send or receive is not journalled for sometimes up to half a day. Why is this?
Each Hub Transport server caches distribution group membership. This reduces load on your Active Directory domain controllers. By default, entries in the expanded groups cache expire in four hours.
I don't want to wait the 4 hours?
If you want to make group membership changes immediate so journaling takes effect right away you must restart the Microsoft Exchange Transport service on each Hub Transport server. This will force an immediate update of the recipient cache. You must do this for each Hub Transport server where you want to forcibly update the recipient cache.
For more information on journaling take a look at: