A firewall monitor is what you are really needing. The problem with monitoring firewall rules is that there are so many of them. As an example; if you have a rule with 2 sources, 2 destinations and 2 ports the firewall actually creates 8 rules for that even though you only created one.
One of the other very nice features about a firewall monitor is it can tell you about unused items in any rule or unused rules. Check out FireMon and it's competitors.
You might consider using SYSLOG with the ASA - it offers a ton of messages, some for ACLs. Here are two examples:
%PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Connection denied by outbound list acl_ID src inside_address dest outside_address
This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol
variable can be ICMP, TCP, or UDP.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.