I think it’s likely that the log file deletions were done by the attacker. If the log content is still on the disk somewhere, it might be useful for forensic purposes (especially if this is a ‘new’ vulnerability), so avoid wiping it out if possible.
Cloud or on-site? If on-site, physical or virtual? What hardware firewall, if any, between PBX and the internet? What settings in FreePBX firewall?
Was the PBX current with all security updates? If not, when was it last updated? What forms of backup do you have?
If feasible, I would spin up a new PBX using your most recent backup before Feb 8, and test it for accessibility from the outside (SSH, admin GUI, UCP, provisioning, SIP). Scan for any open ports. If you left something wide open by mistake, it’s probably not worth it to find out exactly how the attacker got in, just start over with a new install and lock it down properly.
OTOH, if your test system seems secure, there may be some useful logs on the compromised system covering Feb. 8, e.g. Apache logs, system / security logs, etc. You may be able to recover the deleted files with testdisk or similar. Or, you may find the missing Asterisk log by searching the raw disk for one of the numbers the attacker called. It’s best if you can access the compromised file system from another clean system, or make an image copy to work on.
Knowing the details of your setup, we may be able to give more specific advice.