It is not certain which folder your distro is keeping the files and probably filename is modified. I am running Slackware (Salix), just try if following instructions will do your purpose.
Be a root first in order to examine following records.
To find out who or which user has logged into the system from boot issue:
Code:
find /var -iname wtmp -exec strings {} +
user names should be found among terse strings. Usually that which beside "tty7" have gone to the X session or the DE since mostly the X server uses tty7 as its device.
Use "id" command to find out the userID number of the user name e.g. "id anis" then take note the userID number because the next report uses userID number.
To find out whether the user logged into the x-session and what time:
Code:
find /var -iname \*history* -exec less {} +
there you find which display was used, whether set-user was attempted, etc.
The user can be known at the logged line "session-unix-user=1000" this value is the userID number.
Timestamps are available.
To find out if some users have tried (succeeded or failed) to take root authority or commands:
Code:
find /var -iname \*secure* -exec cat {} +
you should find the timestamps conveniently listed.
Again, record naming and record keeping can vary between distros so if you are not running Slackware my commands above should need a little modification. Just come back if you have problem locating the files.
Hope that helps.
Goodluck and enjoy.