This can best be reproduced using actions that execute script code.
Steps to reproduce:
1) Activate an alfresco-api based audit configuration (i.e. put attached notification.xml into /shared/classes/alfresco/extension/audit/)
2) Create a script in the data dictionary that creates files / folders (see attached createStructure.js)
3) Setup a content rule on a directory that triggers the "Execute a script" action using the createStructure.js script
4) Trigger the content rule
5) Perform an audit query (via the Audit ReST API or the Share Extras Audit Dashlet)
Expectation: All file / folder creations are logged in the audit tables.
Observation: There is no result in the audit query as no events have been recorded.
Analysis: The AuditMethodInterceptor, which produces the data of "alfresco-api" has a guard against nested calls (presumably to prevent audit data extractors / generators to recursively trigger audit events). This guard is too generic as it also prevents service calls on other, subordniate public services to produce data. In the case of script actions, the top level service call to the public ScriptService prevents any calls to the FileFolderService (via ScriptNode) from generating audit data.
Please find attached a proposed patch that corrects the guard so it no longer prevents capturing of audit data on subordinate public service calls.