In the host checker policy for XP choose "Custom" under Require:

Then enter

NOT <name of you hostchecker policy>

How can i determine in the log wich OS users are using.

I'd also like to know how to search the logs to see a 'report' type view of what OSs are being used by my clients.

I don't think there is anything in the logs but if you go to the Authentication server and look at the user list the "Agent" column will show the browser string (which usually includes info about the OS) or Pulse version + OS.

if you are running 8.0Rx code on your SA the dashboard will show you a breakdown of all the OS's being used and the percentage (in the last 24 hours)

As for denying XP, i currently have an os check policy that allows xp through 8.1. When i start denying XP i will drill into my OS policy and uncheck XP as a supported OS. not too difficult

I've not bumped up to 8.0Rx code yet. 

My production boxes are still SA2000 (7.1R17), but I've got my MAG2600s (7.4R8) almost ready to roll out.

I was hoping that it collected the information it uses (Agent Type I believe) to create those numbers somewhere that was also accessbile for a bit of a deeper dive.  I'd like to be able to go back to anyone still using Windows XP and educate them on needing to upgrade to a newer OS.

i am not aware of a way to mine that kind of data in 7.x code. one solution would be to disable xp and then check the logs for people failing the OS check. It should give a message saying xp is not a compliant OS. then filter on that log ID and you have a list of all failures. it won't give you unique users but its a start. then you can export to excel and massage the data to give you the desired report. 

Actually, pretty easy.

As stated earlier, make a custom policy under the Host Checker. Mine is called MS_allowed

Then select all the OS of Microsoft you want, press save and that should show you a second, or third, etc policy which will block XP and/or other OS you don't want supported.

Another possibility would be to create a role mapping rule that would 'capture' XP users and direct them to an informational or limited access role. I believe a custom expression like...
   userAgent = '*NT 5.1*' OR userAgent = '*Windows XP*'
would handle both Pulse and web portal users.