I'm running v2.3 and I've seen the same behavior, Dave. When I add an <allowed-ips> tag to <secured> ossec launches a second remoted process that monitors 514/UDP. Fortunately, my server's syslogd was not trying to receive remote logs, so there was no conflict.
But, yes, I think this is a bug...unless a gray-beard could explain this behavior to us....
