Is there any way for an SA to send policy permits and denies to syslog? The SRX sends out all sorts of detailed logs, but it seems like the SA doesn't send a thing? It makes things really hard to troubleshoot when I can't see the SA blocking traffic.
Events are logged locally and can be sent to one or many syslog servers. Navigate to System > Log/Monitoring > (Events or User Access or Admin Access) > Settings to configure your syslog servers and what you want to log.
I'm going to make the assumption that you're referring to VPN tunneling clients like Network Connect and Pulse when you say "policy permits and allows". I've troubleshot ACLs on cisco gear in the past and I don't think that you're going to find analogous packet drop list on the IVE or MAGs.
If you're allowing or blocking network ports and subnets that a user can reach with the VPN tunneling cliends based on Host Checker policies, I'd suggest using the User Access logs to see what roles and thus what policies are being assigned to a user once they're logged in. If your configuration is such that you have many VPN tunneling access policies assigned to a small number of roles, it may be easier to collect a policy trace for a user's session instead.