i had this ip-security configuration on one of the x440-24t switches that had the syslog server configured on one of the ports :
enable ip-security anomaly-protection ip
enable ip-security anomaly-protection l4port
enable ip-security anomaly-protection tcp flags
enable ip-security anomaly-protection tcp fragment
enable ip-security anomaly-protection icmp
enable ip-security anomaly-protection notify log
enable ip-security anomaly-protection notify cache
configure ip-security anomaly-protection notify cache 100
configure ip-security anomaly-protection notify trigger on 5
Also i had configured on another x440-24p switches to log to the same syslog server :
configure syslog add 192.168.40.141:514 vr VR-Default local0
enable log target syslog 192.168.40.141:514 vr VR-Default local0
configure log target syslog 192.168.40.141:514 vr VR-Default local0 filter DefaultFilter severity Info
configure log target syslog 192.168.40.141:514 vr VR-Default local0 match Any
configure log target syslog 192.168.40.141:514 vr VR-Default local0 format timestamp seconds date Mmm-dd event-name condition severity priority host-name tag-name
But the problem is that the x440-24p switch is sending the log to the syslog server using the same UDP source port as the destination UDP port :514.
Please see in the attached log :
[i] L4 port anomaly detected on port 17 vlan Default: SMAC=00:04:96:98:23:C9 DMAC=00:11:32:1F:29:9F SIP=192.168.40.242 DIP=192.168.40.141 SPORT=514 DPORT=514 ip protocol  pkt length 
Definitely this is a bug and should be resolved in the next XOS release. Is the same "trap" as other network devices might have like printers for example using the same source port as the destination port.
I am using the 220.127.116.11 XOS release.