I've used Log4J in production on occassion, though admittedly always on-premise at a client.
As you've probably already spotted, it looks like the core problem is this:
Caused by: java.io.FileNotFoundException: velocity.log (Permission denied)
When running from the modeller, I would get similar errors when I had 'emulate cloud security' set to 'true'.
Both your initial solutions seem valid, but I'd also get in touch with Mendix and see if they are willing/able to adjust the standard cloud security settings.