At my company we are currently in the early stages of an Exchange 2013 to Exchange 2016 migration and we needed to identify any Outlook clients below a certain patch level (ones we identified as having issues with Mapi over HTTP via a proxy). So we used the following log parser query to gather a list of all clients past a certain patch level after a certain date and ran it against the RPC and MAPI logs on all our Exchange servers.
SELECT EXTRACT_SUFFIX(client-name,0,'=') as User,
client-name as DN,client-software,
client-software-version as Version,
client-mode,
client-ip,
REVERSEDNS(client-ip) as ClientName, protocol,
TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS [Day]
FROM '[LOGFILEPATH]'
WHERE (operation='Connect')
And Day > TimeStamp('2017-07-11','yyyy-MM-dd')
And (Version between '15.0.0000' and '15.0.4849.0000') OR (Version between '14.0.0000' and '14.0.7172.4000')
GROUP BY User,DN,client-software,Version,client-mode,client-ip,ClientName,protocol,Day
ORDER BY User
