After changing the syslog protocol from UDP to TCP it worked for about five weeks.
Then it stopped working, nothing was being received by the syslog server.
Reverting to UDP enabled the logs to be delivered to the syslog server.
Enforce server > Palo Alto firewall > Splunk syslog server
TCP on port 514, the default syslog port, was blocked on the Palo Alto firewall for some sources, including the Enforce server.
Removed the firewall rule blocking TCP on port 514 coming from the Enforce server.