Troubleshooting Tip: FortiGate stopped sending logs to a TCP destination after a Splunk service restart

When a FortiGate firewall stops forwarding logs to a TCP destination after the Splunk service is restarted, it is usually because the existing TCP session between FortiGate and Splunk was terminated, and the firewall has not established a new one. FortiGate handles Syslog over TCP as a persistent connection, so when the receiving service restarts, the session may remain stuck in an 'Action=Close' or 'Reset' state instead of reconnecting automatically.

Restart the logging service on the FortiGate to force the firewall to re-establish the connection without requiring a full device reboot. This can be done by restarting the local logging daemon.

fnsysctl killall miglogd

Note:
To verify that logs are being sent:

diagnose sniffer packet any 'tcp port 514' 4 0 l