Folks, just wanted to confirm this is right:
Imagine people is not sure which IP's should be allowed on a certain ACL. Then I need to find it. I thought about adding a "deny any any log" to the end of the ACl. The way I understand is that the "deny any any" is at the end of every single ACL anyway and all I will do is to gather "log" output, correct?
extended ip access-list MYACL
10 permit icmp any any
20 permit host 184.108.40.206 any
30 permit, etc
40 deny ...
100 permit ip any any
200 deny any any log <=== Add deny here
Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.
This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.
Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.
And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.