Are packets permitted by an ACL statement logged on a Cisco ASA Firewall?

I have been wondering for a while are all those packets that match an ACL permit statement on a Cisco ASA Firewall are logged in the Syslog.

And the answer to that question is ASA access control list by default only logs every denied packet. The default access list logging behavior, which is the log?keyword not specified, is that if a packet is denied, then message 106023 is generated, and if a packet is permitted, then no Syslog message is generated.

Now, what if you wanted to view which packets are getting permitted?

You are thinking right! Just add the "log" keyword at the end of your ACL statement.

Access-list Outside_in permit ip?any any log

A word of caution here, you might want to be extra cautious while adding the log keyword because if the traffic matching this statement is significantly high then the ASA may crash.

So what if you did not read my blog entirely and added the log statement before understanding its consequences?

You now need to know how to remove it:

So if you want to remove the "log" keyword, do you need to do "no" to ACL and then recreate ACL without "log"? or is it doable simply by removing just the "log" keyword?

The correct way is you have to remove the whole command and then enable it by adding this again without the log keyword.

If you try to do it by removing just the "log" keyword it throws this warning:

WARNING: <Outside_in> found duplicate element.