Hi jlozen,
I' ve managed large FortiGate environments that had such a need, to log to both FortiAnalyzer as well as a secondary system, in our case a SIEM.
If you are looking for guarantees then option 2 is your best choice because at that point there is little to go wrong, but as you point out it' s hardly real time, and also sounds like a pain in the rear unless you can fully automate it.
Reliable syslog (or syslog over TCP 514 for those who don' t know) is supported by a decent number of syslog servers and SIEMs, though it is a newer concept. It does address some of your concern.
Another option is that if the FortiAnalyzer is local to the secondary system, you can also forward logs from FAZ -> secondary system over UDP syslog (not sure if FAZ support reliable syslog out, will need to check). But this means it is coming from a central point that is local on the network and could also work.
Hope this helps.
Cheers!
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security