Other than running tcpdump at the same time, just trying to figure out if there is a way to identify who is causing these:
ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. when you have 2000 agents, it is kind of hard, but my guess is you are stuck with tcpdump and correlating the timestamp. I hope I am wrong. -k
