I guess it will take some time for applications to be listed as vulnerable with the log4j exploit and show up in fleet vulnerabilities? App by app has to be checked and published by the NVD or whatever it is called right?

Yes, anything published to NVD should appear in Fleet's vulnerability listing.