All right, we *finally* found the problem - not OSSEC, but a new system hardening step.
The NSA security guidelines recommend setting Linux systems to validate the source IP address of received packets. With eth3 up, this validation fails because the IP stack sees packets sourced from the network on eth3 coming in on eth0, which is a violation, and the packets are dropped. So it's not that OSSEC is listening on the wrong port, local_ip option or not; it's that the IP stack is dropping the packets before they get to OSSEC. Thanks so much for all your help!
