When a system is compromised, attackers usually erase the syslog and other related log files in order to hide his/her intrusion activities.
Nowadays, attackers should also erase one more log file, namely sysdig. sysdig will log all the activities in a file, namely *.scap.gz. Sysadmin can backtrack all the activities of all users (including intruders).
For more details of sysdig, you can refer to Draios Blog - Fishing for Hackers: Analysis of a Linux Server Attack.
That's all! See you.