Besides the log files in /var/log, the intruder might have left behind evidence elsewhere. Some of these places are:
the shell history files for root and other accounts
users' various mailboxes, including outboxes such as .sent, mbox, and those in /var/spool/mail and /var/spool/mqueue
/tmp, /usr/tmp, and /var/tmp
hidden directories, such as /home/*/.??*
other cracker-created files, frequently hidden names beginning with "."
backup tapes
the free space in the file systems, though it is nontrivial to search this
the logs of other systems, such as firewalls, intermediate compromised systems, and the ISP's systems