Thanks for posting! The "log" option is designed to be used with "debug ip access-list <ACL name>". An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.
#debug access-list HOST
2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)
2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH. There may be another option, but this will likely generate a lot more Syslog messages than you desire. The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS. Below is an example configuration.
ip firewall policy-log threshold 1
logging forwarding on
logging facility local0
logging forwarding priority-level info
logging forwarding receiver-ip <syslog server IP address>
This information could then be searched for key phrases such as "No Access Policy matched".
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.